Hacking Revealed versie 2.0 UK Hacking revealed€¦ · and brag Script kiddie 10-18 years The script boy Group, but they act alone To give vent of their anger, attract mass media

Hacking Revealed versie 2.0 UK

1

Hacking revealed

A hacker's analysis: their victories, their history, the hack itself.

Can we see it happen? Can we defend our self against it?


2

References

1 SeKuRiGo is an independent company focusing on the cutting edge of organisation and IT, specialising in

information security management, identity and access management and IT-audit.

Author:

Company:

Date:

License:

T.L.P. Heinsbroek B.ICT CISSP CISA

SeKuRiGo1, http://www.sekurigo.nl

17th of October 2012

Attribution-Share Alike 3.0

http://www.sekurigo.nl/

http://www.sekurigo.nl/

http://creativecommons.org/licenses/by-sa/3.0/


3

Table of Contents

Preface .......................................................................................... 4

Hacking: an introduction ................................................................ 5

Hackers, crackers, phreakers and script kiddies ............................................. 5

Four generations ........................................................................................ 6

Cyber crime drivers .................................................................................... 6

Profiling Hackers ........................................................................... 8

First model ................................................................................................ 8

Second model ............................................................................................ 9

A history of hacking and hackers ................................................. 10

Famous hacks .......................................................................................... 10

Hacking matrix......................................................................................... 11

Famous hackers ....................................................................................... 12

The hack itself: objectives and methods ...................................... 15

Objectives ............................................................................................... 15

Ethical hacking ......................................................................................... 17

Social Engineering .................................................................................... 18

Phases of a hack (or how it works) .............................................. 20

Foot Printing ............................................................................................ 20

Scanning ................................................................................................. 20

Enumeration ............................................................................................ 21

Gaining Access ......................................................................................... 21

Escalating privilege ................................................................................... 22

Pilfering .................................................................................................. 22

Covering tracks ........................................................................................ 22

Creating backdoors ................................................................................... 23

Prevention: how not to get hacked .............................................. 24

General counter measures ......................................................................... 24

Identifying the hack .................................................................................. 26

Specific measures: top 10 defences ............................................................ 27

Epilogue ....................................................................................... 33

Bibliography ................................................................................ 34


4

Preface Hacking, it seems to dominate the news recently. Comodo, Stuxnet, Diginotar,

Anonymous, Luzsec, Duqu, the KPN hack, the infected websites weeronline.nl and nu.nl,

the Flashack-botnet and Flame, they were all in the news. Question is, is hacking really

so dominant at the moment? Or do these hacks just get a lot of media exposure? Let’s

put it this way: is hacking a new phenomenon or is hacking of all times?

In this whitepaper I will argue that hacking is not new, that it is mostly the media

attention and the openness of breached organisations that gives us the idea that hacking

is dominating the news. I will also explain types of hackers and what their reasons and

objectives are for doing what they do. I will explain the difference between (professional

and governmental) hackers, crackers, the wannabes and script kiddies, and also give a

brief insight into techniques, such as social engineering, installing Trojan horses,

backdoors, zero days exploits, using maintenance hooks, port scanning and enumeration.

I will provide information from scientific research by the United Nations Interregional

Crime and Justice Research Institute (UNCRI), which shows that hacking is of all times

and has evolved in the course of forty years. I will present the hackers profile, a model to

identify the hackers by their modus operandi. With this model an organisation can

identify the hacker behind a hack.

The fact that hacking is not new does not mean it isn’t dominant. There is, after all, a

downside to it: many Internet facing websites are still vulnerable for hacking and do not

have any defence against one or more vulnerabilities, such as SQL injection. Therefore I

will explain the hack itself and last but certainly not least I will supply information that

helps you identify and analyse an attack and defend yourself through implementing

preventive, detective, corrective and compensating counter measures.


5

Hacking: an introduction

Hackers, crackers, phreakers and script kiddies

Hackers come in many forms and types and have different reasons for doing what they

do. There are, roughly, four groups of hackers. Let me explain those.

A hacker sees himself as someone who wants to learn how computer systems and

security work. His goal is to collect knowledge about security and systems. He doesn’t

intend to damage. A hacker basically wants to learn. He or she uses this knowledge to

evaluate (computer) security. A hacker performs security assessments to find out if the

tested software is vulnerable to (unknown) exploits or has backdoors and trapdoors

installed. If a hacker finds miscoded software functions, he is willing to reveal his findings

to the owner of the software.

An ethical hacker is a hacker performing hacks on demand, i.e. someone asks him to

perform these tests. He (or she) is bound within the constraints of a pre-determined

contract between the ethical hacker and the sponsor or organisation.

Besides hackers there are the so-called crackers. Crackers are criminal subjects. Their

motives are not as noble: brand recognition (UseNet, dark-hacker scene, IRC channels),

personal gain and vindictive acts. The crackers are the ones who wreak the most havoc.

They specialise in causing damage, robbing information, deactivating software protection,

entering restricted security areas or programming viruses. In the hackers world hackers

are denoted white hats and crackers are black hats2

Phreakers are responsible for exploring the farthest reaches of the telephone networks,

using technology to manipulate frequencies. They aim to make free calls to any part of

the world and sometimes break into important centres. Currently, phreakers aim at

mobile phones, wireless technology and VoIP (Voice over Internet Protocol).

At the bottom of the list we have what we call the 'want to be lamer' and script kiddies.

These are hackers that do not have much knowledge (yet) and they make use of publicly

available tools, which often can be found on the Internet. They totally rely on these freely

available tools and therefore do not acquire any knowledge of the underlying network

infrastructure. They pick their targets randomly through Usenet or IRC channels.

Sometimes script kiddies launch attacks for specific Microsoft OS environments at a UNIX

OS environment. Examples are website defacing, Ping of Death, Distributed Denial of

2 This originates from the old black and white Western movies, where the good guys wore a white hat and the bad guys wore a black hat.


6

Services (DDoS) and LOIC (Low Orbit Ion Canon), all based on tooling, not on

knowledge.

While the cracker focuses on 'hacking on demand' and organized crime, the ethical

hacker focuses on security research, finding zero-day-exploits and selling his findings to

the owner or vendor.

At the top of the hackers list, we find the professional hackers: the cyber-warrior, the

industrial spy, the government agent and the military hacker. Driven by angriness,

espionage, sometimes even by governmental agencies, they tend to attack the Internet

infrastructure in other countries or private (symbol) companies. They use hacking tools

and techniques to gain access to sensitive information, to disrupt industrial facilities, but

also use it to perform criminal behaviour (one line pharmacy, etc.).

Four generations

The first generation of hackers (1970's) was inspired by the need for knowledge. They

mainly wanted to find out how computers work. This was (in those years) a very new

technology and the only way to find out more about it, was by literally looking into the

computer's hardware and software.

The second generation of hackers (1980-1984) was driven by curiosity. They wanted to

figure out how operating systems and network components actually worked. The only

way to learn this was by hacking them. In the late 80's hacking becomes a trend.

The third generation of hackers (1990's) was simply pushed by the anger for hacking: a

mix of addiction, curiosity, learning new stuff, hacking IT systems and networks and

exchanging information with the underground community. During this period, new

concepts such as hacker's magazines, e-zines and electronic bulletin boards come to

exist.

The fourth generation of hackers (2000 up until today) is mostly driven by angriness and

money. We often see subjects with very low know-how assuming that it's cool & bragging

to be a hacker. These hackers are hardly interested in the history of hacking and

phreaking or in its culture and ethics. This is though where hacking meets with politics

(cyber-hacktivism, occupy) and with the criminal world (cyber crime).

Cyber crime drivers

The number of computer users, websites, web users and so on still grows every day and

so the number of potential victims and attack vectors increases every day. Due to

broadband Internet the use of powerful hacking tools and techniques stays unnoticed and

hides itself within the normal Internet traffic. This drives the hacker. Another major drive


7

is making money, sometimes a lot of money. It is known that some botnets-herders earn

more money in one day than normal employees in a month.

A technical driver for cyber crimes is the public availability of hacking tools and

techniques. High volumes of trade are to be found at the underground or black markets

where you can buy names and IP-numbers of hacked victims, zero day exploits, botnets

for lease, ready to use attacks and stolen credit cards numbers. Due to the current

hacking exposure (bragging, personal gain) it is easy to recruit youngsters and create

groups to then mould into crackers and criminals. The final driver for hacking is the very

low chance of getting caught. This attracts even more adepts to recruit.


8

Profiling Hackers In 2004, a team of researchers started the so-called Hackers Profiling Project (HPP): a

theoretical collection of evidence and observations in the IT underground security. This

project led to a classification database, which was checked against the original theoretical

model that defined hacker's profiles.

First model

The researchers drafted a model and then combined this first model with real evidence

such as convictions as well as with actual observations of the real hackers world. The

first model, which was purely theoretical, was published to raise awareness. In the same

period the book3 was published.

Profile Rank Impact level Target

Want to be lamer

Amateur

Null End-user

Script kiddie

Low SME Specific security

flaws

Cracker

Hobbyist

Medium High Business company

Ethical Hacker

Medium Vendor Technology

Quiet, paranoid, skilled hacker

Medium High On necessity

Cyber-Warrior

Professional

High "Symbol" Business

company

End-user

Industrial Spy

High Business company Corporation

Government agent High Government

Suspected

terrorist

Strategic Company

Individual

Military Hacker

High Government Strategic

company

3 Profiling Hackers: the Science of Criminal Profiling as applied to the World of Hacking, ISBN 978-1-4200-8693-5-9000.


9

Second model

In 2005 and 2007 some dramatic changes were witnessed within the hacking

underground scene. Changes concerned moods, new actors and an increase of organized

crime involvement and information warfare. These observations led to a second model

that was more than just theoretical. This model made it possible to profile hacks and to

define methods of defence based on the experience and technology level of the hacker.

Profile Offender ID Lone/Group

Hacker

Motivations/Purpose

Wanna be lamer 9-16 years, "I would

like to be a hacker, but

I can't"

Group For fashion, it's cool => to boast

and brag

Script kiddie

10-18 years

The script boy

Group, but they

act alone

To give vent of their anger,

attract mass media attention

Cracker

17-30 years

The destructor, burned

ground

Lone To demonstrate their power /

attract mass media attention

Ethical Hacker

15-50 years

The 'ethical' hacker's

world

Lone, group only

for fun

For curiosity, to learn and

altruistic purposes

Quiet, paranoid,

skilled hacker

16-40 years

The very specialized

and paranoid hacker

Lone For curiosity, to learn => egoistic

purposes

Cyber-Warrior 18-50 years

The soldier, hacking for

money

Lone For profit

Industrial Spy

22-45 years

Industrial espionage

Lone For profit

Government

agent

25-45 years

CIA, Mossad, FBI, etc.

Lone/Group Espionage /

counter-espionage, vulnerability

test, activity monitoring

Military Hacker

25-45 years Lone/Group Monitoring / controlling crashing

systems


10

A history of hacking and hackers

OK, so now we’ve got an idea of the hacker’s world and we know a bit more about the

persons behind the masks. This leaves us with the following questions: is hacking a new

phenomenon? Or does it just attract more media exposure?

Famous hacks

According to a recent article4 in a Dutch computer magazine called CHIP, hacking is not

new. This article states that a very first hack was already performed in 1184 BC when the

famous Trojan horse was left at the beach. And there are way more historic hacks such

as for example the cracking of the Enigma code and recent cyber attacks. Below an

historic overview of famous hacks is given:

Date Name Hack

1184 BC Trojan horse A Greek attack force hidden in a wooden horse, left at the beach.

Later, this became the synonym for malicious software code.

1939 Enigma International team of cryptologists cracks the German Enigma code.

1961 Space War Steve Russell programmes code for the first computer game called

Space War on a research computer at MIT university.

1971 Blue Box John T. Draper manages to control the AT&T voice response dialling

system with a simple whistle. After this, the Blue Box programme is

developed to conduct free telephone calls.

1984 Btx-hack The Computer Chaos Club (CCC) steals € 135.000 by breaking

through the security of the Bildschirmtextsystem. One day later, they

return the money.

1988 Morris-worm Robert Tappan Morris codes the first computer worm programme at

the age of 23.

1993 Green Building MIT students create a giant decibel meter at their student flat building

on the campus

1999 DeCSS A 15 year (!) old Norwegian, Jon Lech Johansen, cracks the

cryptographic code of DVD's.

2000 I Love You This computer worm, wrapped in an 'I love you' message spreads

across the world and causes billons of damage.

2007 Estonia Cyber attacks launched at the Estonian department, the parliament,

the banking systems and the media.

2010 Stuxnet A computer worm specifically constructed to attack industrial IT

infrastructures. The worm targeted Iranian nuclear power plants and

industrial software used for enriching uranium. While no one in

government came forward to claim responsibility for Stuxnet, those

on the front lines of IT security are 100% certain it was a government

4CHIP magazine, 2012, issue 91, from the article 'Historic Hackers', by Manuel Köppl and Peter Marinus.


11

agency who created it, like cryptologists at the National Security

Agency of the U.S. or a similar organization in Israel and the UK.

2010 Kinect Xbox 360 fans, not willing to wait until the official launch of the new

Kinect hardware, develop programming code to simulate the Kinect.

2011 PSN-hack During several hacks at the Sony PlayStation Network more than

1000 credit card details of customers are stolen. After the online

PlayStation Network (PSN) had been down for a week, Sony finally

came out and admitted "user account information was compromised

in connection with an illegal and unauthorized intrusion into our

network."

2011 DigiNotar On 29 August 2011 it became known that a fraudulent DigiNotar

security certificate was issued for Google.com, as a result of an

intrusion, which finally led to the bankruptcy of DigiNotar

2011 Duqu The next generation of Stuxnet. This super Trojan virus is likely the

brainchild of a government security apparatus.

2012 Cyber war According to many IT-security experts, cyber attacks performed by

governments or governmental agencies will focus on energy IT

infrastructures as well.

2012 Flame Developed by professional software developers. Advanced

architectural design, scripting language called Lua, which allows the

attackers to create custom modules for the threat. It contains an

SQLite database used to collect and store information.

Hacking matrix

An historic overview of famous hacks is nice, but an interesting question is: what impact

do these hacks have? Do they all have the same massive and destructive impact, or can

we distinguish a level of impact and innovative character? The Institute of Electrical and

Electronics Engineers5 (IEEE) created the so-called "Hacking Matrix"6 to rank the above-

mentioned hacks according to their impact and innovative character. They took 25 of the

biggest and best stories and assessed them along two dimensions: impact and

innovation. This model shows that the hacks can be placed in (roughly) four categories:

5 IEEE, a non-profit organization, IEEE is the world's largest professional association for the advancement of technology. 6 http://spectrum.ieee.org/static/hacker-matrix


12

Hacking matrix

Famous hackers

Now that we know the hacks and their impact, let’s have a look at the hackers

themselves. In his article 'The ten biggest legends of the hacker universe' 7 , Carlos

Cabezas López has drafted a list of the persons behind the hacks. I personally added two

more recent and famous hackers (collectives) to the list: Anonymous and Lulzsec.

7 The Ten Biggest Legends of the Hacker Universe, http://voices.yahoo.com/the-ten-biggest-legends-hacker-universe-369297.html

Flame? /

Duqu?


13

Name Hack

Kevin Mitnick

Known world wide as the "most famous hacker" and also for being the first to

serve a prison sentence for infiltrating computer systems. He started dabbling

when he was a minor, using a method known as phone phreaking. Although he

has never worked in programming, Mitnick is totally convinced that you can

cause severe damage with a telephone and some calls. These days, totally

distanced from his old hobbies and after passing many years behind bars, he

works as a security consultant for multinational companies through his

company "Mitnick Security."

Gary McKinnon This 41-year-old Scotsman, also known as Solo, is the perpetrator of what's

considered the biggest hack in the history of computer science - into a military

system. Not satisfied with this, in the years 2001 and 2002, he made a

mockery of the information security of NASA itself and the Pentagon. Currently

he is in prison and is prohibited access to a computer with Internet connection

Vladimir Levin This Russian biochemist and mathematician was accused of having committed

one of the biggest bank robberies of all times by means of the cracking

technique. From St Petersburg, Levin managed to transfer funds estimated at

approximately 10 million dollars from Citibank in New York to accounts he had

opened in distant parts of the world. Interpol arrested him in 1995 at Heathrow

airport (UK). Although he managed to rob more than 10 million dollars, he was

only sentenced to three years in prison. Currently he is a free man.

Kevin Poulsen Today he may be a journalist who collaborates with authorities to track

paedophiles on the Internet, but Poulsen has a dark past as a cracker and

phreaker. The event that brought him the most notoriety was taking over Los

Angeles phone lines in 1990. A radio station was offering a Porsche as a prize

for whoever managed to be caller number 102. It goes without saying that

Poulsen was the winner of the contest.

Timothy Lloyd In 1996, information services company Omega, provider of NASA and the

United States Navy, suffered losses of around 10 million dollars. And it was

none other than Tim Lloyd, a former employee who got fired some weeks

earlier, who caused this financial disaster. Lloyd left a virtually activated

information bomb in the company's codes, which finally detonated on July 31 of

that same year.

Robert Morris Son of one of the forerunners in the creation of the virus, in 1988 Morris

managed to infect no fewer than 6,000 computers connected to the ArpaNet

network (one of the precursors to the internet). He did this from the

prestigious Massachusetts Institute of Technology (MIT). For his criminal

activities he earned a four-year prison sentence, which was finally reduced to

community service.

David Smith Not all hackers can boast on creating the virus that spread the fastest to

computers the width and breadth of the globe - David Smith can. In 1999, the

father of the Melissa virus managed to infect and crash 100,000 email accounts


14

with his malicious creation. Smith, who was thirty years old at the time, was

sentenced and freed on bail.

MafiaBoy In February of 2000, many of the most important online companies in the US,

such as eBay, Yahoo and Amazon, suffered a technical glitch called Denial of

Service, which caused a total of 1700 million dollars loss. But did these sites

know that the perpetrator of the attack was a 16 year-old Canadian who

responded to the alias MafiaBoy? Surely not, although it didn't take them long

to find out, thanks to his bragging about his bad deed to his classmates at

school.

Richard

Stallman

Since the early 80’s when he was a hacker specializing in artificial intelligence,

this hippie-looking New Yorker has been one of the most active militants in

favour of free software. At MIT he firmly opposed to the privatization of the

software used by the institute's laboratory. He created what today is known as

GNU and the concept of CopyLeft. Popular systems like Linux utilize the GNU

mode and Stallman is currently one of the gurus of software democratization.

Masters of

Deception

(MoD)

MoD was a New York cyber-gang that reached its apogee in the early 90s.

Under the cover of different aliases, its biggest attacks involved taking over

telephone lines and centres of the Internet, then still in its infancy. During this

time McD starred in the historic "battles of the hackers," along with other

groups like the Legion of Doom (LoD), as they sought to destroy each other

until the computers couldn't take it anymore.

Anonymous

collective8

Hello World. We are Anonymous. What you do or do not know about us is

irrelevant. We have decided to write to you, the media, and all citizens of the

free world to inform you of our intentions, potential targets, and our ongoing,

active campaign for the freedom of information exchange, freedom of

expression, and free use of the Internet.

Lulzsec9

Lulz Security, commonly abbreviated as LulzSec, was a computer hacker group

that claimed responsibility for several high profile attacks, including

compromising Sony Pictures user accounts in 2011. The group also claimed

responsibility for taking the CIA website offline. Some security professionals

have commented that LulzSec has drawn attention to insecure systems and the

dangers of password reuse. Lulzsec gained attention due to high profile targets

and sarcastic posted in the aftermath of their attacks. One of the founders of

LulzSec was a computer security specialist who used the online moniker Sabu.

The man accused of being Sabu has helped law enforcement track down other

members of the organization as part of a plea deal. At least four associates of

LulzSec were arrested in March 2012 as part of this investigation. British

authorities had previously announced the arrests of two teenagers they allege

are LulzSec members: T-flow and Topiary.

8 http://www.indybay.org/newsitems/2010/12/09/18666107.php, http://nl.wikipedia.org/wiki/Anonymous_(groep) 9 http://nl.wikipedia.org/wiki/LulzSec


15

The hack itself: objectives and methods Now that we have an understanding of hackers, hacking, phreaking and cracking and the

impact they can cause including in some case destructive consequents, it is time to dig a

little deeper and find out more about the actual hack itself, the objectives and the

methods.

We distinguish to types of hacks: the ‘normal’ hack and the so-called ethical hack. Law

forbids a ‘normal’ hack. An ethical hack however is a hack on demand: the demander and

the hacker are abided by a mutual agreed contract.

The main purpose of a hack is gaining access to IT systems, resources or sensitive

information. To achieve this, the hacker will try to get administrator or root access rights.

With these access rights he can fully control the network or system. He can cover his

tracks, create backdoors and jump forward to new victims.

Objectives

In general, there are two objectives for hacking. The first objective is to create a botnet

and use this botnet for SPAM runs or DDoS attacks. The second objective is to hack into

a system to find sensitive information and exfiltrate that information by normal IT

communication means or by convert network channels.

Botnet

A botnet consists of a large group of infected computers. The botnet virus is hiding on

the victim's computer and tries to remain unnoticed. The botnet virus may present a fake

result to antivirus software by making the antivirus software think the computer is not

infected. Besides this, the botnet virus makes itself available for the creation of new

viruses. After successful infection, the victim's computer is part of the botnet and known

as a zombie-computer or bot. Bots and botnets are a common form of Internet crime and

a powerful means for hackers. Botnets can be small and consist a few hundred-zombie

computers, but some botnets actually consist of hundreds of thousands of zombies.

SPAM is a collective name for unsolicited (email) messages and also for unwanted

junk email advertisements on websites. Spam differs from other forms of commercial

communication because a message is sent to a group that is much larger than the

potential audience. Characteristics of SPAM message are:

Sent in large quantities. Up to (100) thousands of people simultaneously.

Commercial purpose. A reference in a SPAM message typically includes a product

or website.


16

Sent or posted without the permission or knowledge of the owner, or without prior

consent of the receiver.

The idea behind a SPAM message is to lure the victim to a bogus website where a

dropper installs malicious software code or to persuade the victim to open a bogus

attachment, which installs the malicious software.

DDoS: Denial-of-Service attacks (DoS) and Distributed Denial-of-Service attacks

(DDos) are attempts to disable or disrupt computer services for the intended users.

The difference between a Dos and a DDos attack is that the latter carries out attacks

from multiple computers simultaneously, often a botnet. It can also include multiple

individuals who coordinate their actions (the so-called Anonymous movement). The

motive remains the same: disabling or disrupting the computer services for the

intended users.

The most often executed network-based Denial-of-Service attacks fall into two

categories: malformed packet attacks and packet floods:

Malformed packets attacks: these attacks usually involve one or two packets that

are formatted in an unexpected way. If the software handles such errors poorly,

the system may crash when it receives a packet.

Packet Floods: these attacks send a deluge of traffic to a system on the network

overwhelming its capability to respond to legitimate users. Attackers have devised

numerous techniques for creating such floods, with the most popular being SYN

floods, directed broadcast attacks and distributed Denial-of-Service tools.

Data exfiltration

In computing terminology, exfiltration refers to the unauthorized release of data from

within a computer system. This includes copying data through covert network channels

or copying data to unauthorized media.

Organisations try to build their infrastructure in such a way that sensitive information is

protected and people with wrong intentions are kept out. However, once hackers have

hacked into your IT infrastructure, there are quite a few methods for retrieving sensitive

information, even encrypted information. Methods of exfiltration are:

Using permitted protocols, usually Domain Name Services (DNS) traffic and Hyper

Text Transfer Protocol (HTTP) traffic to send out information. The data itself may

be sensitive and filtered by Data Leakage Prevention (DLP). Therefore, the

attacker encrypts sensitive information using his public key and sends out the


17

data through services such as Dropbox, Facebook, Twitter, blog comments and

posts. Often these services are not filtered by the organisation control

mechanisms and are easy to set up if needed.

Printing is another method of exfiltration. Encrypted information is send to a

company printer. Such printouts are likely to end up in the paper bin rather than

the shredder. Old school dumpster diving is used to retrieve these documents

afterwards. Such documents just need to be OCR’d after their retrieval and

decrypted to reveal the sensitive data that has been stolen.

An alternative to printing encrypted data is using devices with fax-capabilities.

The last method to exfiltrate data is through using a company's Voice over IP

(VoIP) network. VoIP networks are usually accessible from the local network.

Sensitive information is changed from its binary format to an audio format and

sent out through the VoIP network.

Ethical hacking

Ethical hacking is to look at the IT infrastructure of an organisation through the eyes of a

hacker. The objective is to test the strength of the security of the target. Usually ethical

hacking is carried out on the basis of prior arrangements on how to deal with identified

weaknesses. These may vary from just reporting to actually exploiting the weakness.

By the way: a hacker who contacts your company with saying he has carried out an ethical

hack and identified some security weaknesses he wants to discuss with you is just a

(criminal) hacker and punishable according to article 138ab (Dutch Law) of the criminal

code".

There are several methods for performing an ethical hack:

White box testing: the hacker receives information about the target in advance.

Black box test: the hacker has not received information about the target in advance.

Grey box testing: a combination of white box en black box testing.

It is important to make solid arrangements and a legal contract with the ethical hacker

before any test is conducted. These arrangements should at least include:

Captured and signed agreements on targets, times, contacts, alerts and

responsibility.

Adopted and signed waiver and authorization documents.

Adopted and signed agreements on archiving, destruction and the retention period of

observations.


18

Remember: when you hire an ethical hacker to perform a security test of IT environment,

things can go wrong: servers may go down, network components may power down and

(sensitive) information could get deleted or modified. It is important to have a business

continuity plan or at least a (tested) full back up stored at a secure place, before conducting

any penetration test.

Social Engineering

Social engineering10 is a psychological attack vector rather than a technical one. It is the

human side of breaking into corporate or personal PC's to gain information. Social

engineering is a way to induce the weakest link (humans) to do something or to give

away sensitive information that is not actually needed or necessary. Every company,

even those in possession of an authentication process, firewall, VPN's and network

monitoring software, are subject to the skill of a good social engineer. Where hacking

much relies on technical skills, social engineering relies more on persuading skills: the

social engineer tries to get his subject to tell him what he wants to get into the system.

In most cases, the social engineer does not come face to face with his target. Social

engineering exploits the attributes of the human decision-making process known as

cognitive biases. Social engineers use different techniques, an overview:

Pre-texting: creating a false scenario to make a targeted victim feel comfortable

enough to give information. This technique includes more than simple lying. In some

cases an authoritative and earnest sounding voice does the job, but often it includes

impersonating an individual the targeted victim trusts and believes has the right to

get the information asked for.

Diversion theft: the social engineer’s goal is to divert goods to a different location.

Here fore he persuades an administrator or the personnel of a transport or courier

company to issue instructions to the driver to redirect the consignment or load.

Phishing: this is a popular email fraud technique to obtain private information. An

email is sent from what appears to be a trustworthy organisation and the message

often includes some sort of warning of consequences if the recipient does not provide

personal information. Phishing sometimes involves websites that resemble the

website of a legitimate organisation to convince targets that it is OK to provide

financial or personal information.

IVR or phone phishing: the idea is the same as normal phishing but in this case

intended targets are asked – through and email or letter from what seems to be a

trustworthy entity – to phone them. Phone phishing is also called vishing.

Baiting: a technique like the real-world Trojan Horse that uses physical media and

relies on the curiosity or greed of the victim. The social engineer leaves a malware

10

The Hacker News, May 2011 - Issue 02 - Social Engineering Edition


19

infected media device in a location sure to be found, gives it a legitimate looking and

curiosity-piquing label, and simply waits for the victim to use the device. Once the

media device is inserted it installs malware giving the engineer unfettered access to

the targets pc or internal network.

Quid pro quo: simply “something for something”. In other words: the social engineer

calls the targeted victim and offers something, maybe money, chocolates,

merchandise in exchange for passwords or other personal information.

Social engineers are not just technical. They know how to make use of human

weaknesses such as: an awe of authority, sympathy with the "problems" of the other,

empathy or sensitivity to charm, wanting to do something in return and sensitivity to

pressure and urgency.

The attack plan and phasing is very similar to that of a technical attack. A large part of

the needed timeframe resides in the first phase, the preparation (foot printing) and

winning the trust of the victim. The following phase is to determine the strategy or attack

plan.

The main measure against social engineering is to create an overall security awareness program. Train

your users on a regular basis and test the effectiveness of your plan by performing resistance tests

such as a penetration test, the use of mystery guests and online test programs.


20

Phases of a hack (or how it works)

Now that we know the methods and objectives of a hack and gained some insight on

what techniques are used for hacking, it is time to look into the hack more detailed.

Hacks are usually built up in steps or phases. These phases, eight in total, I will discuss

below.

Foot Printing

The aim of foot printing is to obtain general information about the target through publicly

available information that is found on public web pages, in telephone directories, yellow

pages, or from the Chamber of Commerce directory. Useful information can be employee

names, addresses, telephone numbers, function names and organisation schemes. This

information will be used in the actual hack, or during a social engineering attack method.

Objective: to find out as much as possible about the intended target such as address

ranges and naming acquisition. This gathering of information is essential prior to a

surgical attack. The key here is not to miss a thing.

Techniques: Open and public available source searches (Pipl, Google, Facebook, Hyves),

Whois queries, and DNS zone transfers.

Tools: Usenet, Sam Spade, UNIX clients, ARIN database.

A special focus during the foot-printing phase lays on specific ICT information, online

vacancies, names of (IT) managers, information about IT systems, networks and

applications. Hackers often use underground communication channels such as Usenet,

IRC channels and automated tools like Whois, Netcraft and Google. This phase can take

up to 80% of the total time needed to conduct the hack. The more time a hacker spends

on foot printing, the more detailed information he will have to pinpoint the weakest spots

and the greater his chance for success.

Scanning

Scanning concerns determining hosts, scanning for open ports, determining service and

their software versions. The information from the foot-printing phase is used for

scanning.

Objective: bulk target assessment and identification of listening services focuses the

attacker's attention on the most promising avenues entry.

Techniques: Ping sweep, TCP and UDP portscans

Tools: Nmap, scan.exe, fping, bindview, webtrends, ws_ping propack


21

There are four types of scans:

1. IP scan: to scan a range of IP addresses systematically.

2. Port scan: setting up a connection to an application that listens in on a particular port.

3. Finger printing: used to determine what software version the identified hosts runs.

4. Banner info: some applications give away information in so-called banner information.

Enumeration

Enumeration is deployed to prepare a detailed map showing all the (network) targets and

their reactions to the scans. Enumeration utilities are used to extract users, groups, and

file and share permissions directly from Windows.

Objective: more intrusive probing now begins as the attacker is identifying valid user

accounts or poorly protected resources shares.

Techniques: List user accounts, list file shares, identify applications

Tools: DumpACL, NULL sessions, Onsight Admin, Show MOUNT, NAT, Banner grabbing

with Telnet or netcat, rpcinfo, and the use of built-in Windows programs (Windows 9x

and later versions), such as nbtstat, netstat, net after gaining command prompt.

Gaining Access

In this phase, the purpose is to gain access to IT resources, accounts and/or information.

This can only succeed if the proper access rights are obtained. Obtaining access may also

include social engineering techniques or the use of exploits. The hacker’s goal is to get

admin or root privileges. With sufficient access rights, he can install root kits and Trojans

to preserve access to the systems. Trojan horses rely on deception - they trick a user or

system administrator into running them for their (apparent) usefulness - but their true

purpose is to attack the user's machine. Root kits allow an attacker who already has

super user access to keep that access by foiling all attempts of an administrator to detect

the invasion.

Objective: At this point, the hacker has enough data to make an informed attempt to

access the target.

Techniques: Password eavesdropping, file share brute force, password file grab, buffer

overflows

Tools: TCPdump, l0phtcrack, NAT, Legion, tftp, pwdump, ttdb, IIShack


22

Escalating privilege

The purpose of escalating privilege is to gain access to IT resources, accounts and/or

information, just as in the previous phase. This time however the attacker will seek full

control of a system with as the ultimate goal owning the IT infrastructure.

Objective: the attacker will now seek to gain complete control of the system. If he

succeeds, he actually owns your IT infrastructure.

Techniques: password cracking, know exploits.

Tools: crack, l0phtcrack, rdist, getadmin, and sechole.

Pilfering

The purpose of the pilfering phase is to get access to trusted systems and sensitive

information. This phase combines the outcomes of the previous phases with new

information about trusted systems and locations of sensitive information.

Objective: to identify mechanisms to gain access to trusted systems and sensitive

information.

Techniques: evaluate trust, search for clear-text passwords.

Tools: rhosts, LSA secrets, user data, configuration files, registry.

Covering tracks

A hacker wants to keep control over his victims and therefore needs to cover his tracks.

Often he does this by manipulating the log system.

Objective: trap doors lay in various parts of the system to ensure that privileged access

easily regained at the whim of the intruder.

Techniques: create rogue user accounts, schedule batch jobs, infect start-up files, plant

remote access services, install monitoring mechanisms, and replace apps with Trojans

Tools: members of the wheel, administration, CRON, AT, rc, Start-up folder, registry

keys, netcat, remote.exe, VNC, keystroke loggers, add account, mail aliases, login,

fpnwclnt.dll

A way to prevent being discovered is using covert channels and manipulating or

concealing regular communication or bypassing existing measures. The hacker

manipulates the log system, which he disables completely, creates false log entries, or by

adjusting the log levels.


23

Creating backdoors

When a hacker has gained access, he needs to ensure he can return "unseen". He

therefore installs a backdoor or root kit. A backdoor is a small program that bypasses

traditional security checks on a system, allowing an attacker to gain access to a machine

without providing a system password and getting logged.

Objective: identifying mechanisms to gain access to trusted systems and sensitive

information

Techniques: evaluate trust, search for clear-text passwords.

Tools: rhosts, LSA secrets, user data, configuration files, registry.


24

Prevention: how not to get hacked

Probably the most valuable information on hacking is information about prevention. How

not to get hacked? How to indentify a hack? That is what this chapter is about. I will

supply information about general counter measures and specific counter measures.

General counter measures

Counter measures come in different forms and must be implemented according with their

objective. Counter measures can be:

Directive: actions taken to cause or encourage a desirable event to occur. Directive

controls are broad in nature and apply to all situations.

Preventive: to detect problems before they arise. Attempting to predict potential

problems before they occur and making necessary adjustments.

Detective: to detect and report the occurrence of an error, omission or malicious act.

Corrective: to minimize the impact of a threat; remedy problems discovered by

detective controls, identify the cause of a problem and correct errors arising from a

problem;

Compensating: to compensate for measures that are not effective. If they help to

achieve the control objective and are cost-effective, they are considered adequate.

Class Examples

Directive Organisational structure

Policies

Procedures

Management directives

Guidance statements

Circulars

Job descriptions

Preventive Timely reconciliation of accounts

Restricted areas, money safes, controls over night collections

Plans, goals, budgets, and comparison of the actual with budgets

Procedure manuals

Adequate checks on employment background for all new employees

Employing only qualified personnel

Segregate duties (deterrent factor)

Controlling access to physical facilities

Use well-designed documents (prevent errors)

Establish suitable procedures for authorization of transactions

Complete programmed edit checks

Using access control software that allows only authorized personnel

to access sensitive data


25

Use encryption software to prevent unauthorized disclosure of data

Detective Perform an aging analysis of account receivable accounts

Establish inspection procedures for incoming materials

Have the personnel department authorize the hiring of all employees,

set pay levels and pay rate changes

Ensure existence of management approvals, dual controls, system

access controls, supervisory review

Implement an work order system to track maintenance costs

Use pre-numbered checks

Require all employees to take annual vacation

Conduct periodic audits

Hash totals

Check points in production jobs

Echo controls in telecommunication

Error messages over tape labels

Duplicate checking of calculations

Periodic performance reporting with variances

Past-due account reports

Review of activity logs to detect unauthorized access attempts

Corrective Contingency planning

Backup and recovery procedures

Rerun procedures

Error detection and resubmission

Audit trails

Discrepancy reports

Error statistics.

Compensating Batch control reconciliations

Transaction logs

Reasonableness tests

Independent reviews and audit trails, such as console logs, library

logs and job accounting dates

Sequence checks and check digits

Retention of source documentation


26

Identifying the hack

Identifying aims to discover hackers, preferably before the actual hack occurs and

includes the sub processes auditing and security monitoring. Auditing focuses on finding

vulnerabilities and ineffective controls and security monitoring aims at detection of

deviation.

Auditing

Vulnerability scanners are tools for real-time auditing. The results of the scanners can be

used as input for the vulnerability and patch management process11

. Vulnerability

scanners can be network based or host based.

Password auditing tools intend to verify if passwords in use meet the requirements in the

policy. Often those requirements are not enforced or periodically checked. Specifically for

user passwords, it is difficult to find a good balance between user functionality and

security. Currently, acceptable password lengths are 10 alphanumeric characters for user

passwords and 14 characters for administrators. Even better is to use two-factor

authentication for administrators.

Integrity checks are in place to discover changes in files. The checksum values of these

files are periodically compared with earlier values.

Security monitoring

Security monitoring aims to detect deviations through analysing (real-time) events and

should include physical security events into the security-monitoring environment (burglar

alarms, images of CCTV, personnel movement, transportation, unauthorized access,

infrared detection, etcetera). Most organisations do not include those physical events due

to the traditional separation between logical and physical security.

Security monitoring could require using IDS or IPS systems. The power of these systems

is that all events are logged. However, their disadvantage is that they generate too much

data that cannot be analysed without filters or reporting tools. A frequently used tool is

Security Information & Event Management (SIEM). Beware though: SIEM could be a

target for hackers too.

11

A patch is a small program that adjusts existing software to patch errors or bugs in the software. Patches can

be preventive (preventing problems), adaptive (environmental changes), corrective (solving incidents/problems) and perfective (change in specifications).


27

Specific measures: top 10 defences

Besides the general counter measures mentioned above, there are also specific measures

that can be implemented to prevent being hacked. A top 10:

1. Incident response

Truly effective incident response procedures should be multidisciplinary and not just

focus on IT. Instead, document and communicate the roles, responsibilities and

communication channels for Legal, HR, Media Relations, IT and the Security Department.

A specific member should be identified as the core of a Security Incident Response Team

(SIRT) to be called together to address an incident when one occurs. A SIRT should also

conduct periodic exercises of the incident response capability to ensure that team

members are effective in their roles.

2. Network design measures

To defend against network mapping and port scans, the administrators should remove all

unnecessary systems and close all unused ports. The administrator must disable and

remove unneeded services. Only those services that have a defined business need should

be active. A security administrator should periodically scan the systems.

3. Network scanning measures

Administrators must close unused network ports. To eliminate the majority of system

vulnerabilities, system patches should be applied in a timely fashion. All organizations

using computers should have a defined change control procedure that specifies when and

how system patches will be kept up-to-date.

This procedure should include conducting periodic vulnerability scans of networks to find

vulnerabilities before attackers do. Discovered vulnerabilities should be addressed in a

timely fashion by updating system configuration or applying the patches.

If you use traditional telephone networks it is advised to implement measures against

war dialling. The best defence is using strong modem policies that prohibit the use of

modems and incoming lines without business needs. Besides this, conduct war-dialling

exercises on your networks to find unregistered modems. This device must then be

located and deactivated before attackers find it.

Ways to avoid a successful foot printing/exploration: use general business domain registration, like

general business telephone number +31 88 12. This will prevent that business phone numbers are

publicly known and mapped into a (NL) region. Make use of a fictitious email address and monitor email

messages delivered to this email address. Check yourself or your company on public websites like Pipl,

12

The Dutch regulatory authority OPTA has opened a 088- number range for companies and administrations.

These organisations can request the assignment of numbers from this range (officially named “number for access to undertakings and administrations")


28

Google, Facebook, Hyves, etc. If you find information, try to find out if this is necessary or could be

used for target mapping. Finally yet importantly, do not list all of your ICT infrastructure components in

online vacancies.

Make sure the "outer" network components configured do not give information (answers) on IP or port

scans. Analyse and document used and unused services/protocols on your firewalls. Regularly audit the

current settings of the network components and compare the results with previous results. Install

Intrusion Prevention Systems (IPS) / Intrusion Detection Systems (IDS) and analyse the loggings.

Locate your critical, Internet facing business applications and determine how these applications react

on scans. Regularly audit the "outer" network components and perform scans, or try to set up a net cat

connection to their ports. Remember that your IT staff will not notice some scans or tools, just because

they are 'hidden' in normal internet traffic or a because a hacker scans during the night.

4. Network communication measures

The best defence against sniffing attacks is to encrypt data in transit. Do not send

passwords in clear text and eliminate the broadcast nature of Ethernet. Use switches

instead of hubs.

Also implement measures against IP spoofing. Systems should not use IP addresses for

authentication. Any functions that rely solely on IP addresses for authentication should

be disabled or replaced. Do not let administrator use unsecure UNIX r-commands. R-

commands use only the IP addresses for authentication, without providing a password.

Use administrator tools requiring strong authentication instead. Implement anti-spoof

filters on your Internet connection networks (DMZ). Anti-spoof filters drop all traffic

coming from outside the organization claiming to come from inside.

5. Network connection takeover measures

Avoid the use of insecure protocols and applications for sensitive sessions such as r-login

and Telnet. Instead, use secure shell (SSH). SSH provides strong authentication and

encryption and can be configured to use secure file transfer capability (SCP) to replace

the traditional File Transfer Protocol (FTP).

6. Denial-of-Service measures

The best way to defend against Denial-of-Service attacks is to implement a solid

vulnerability and patch management process. Vendors frequently update their systems

with patches to handle a new flavour of Denial-of-service attack.

An adequate patch management process prevents many problems with software vulnerabilities. The

time between the discovery of vulnerability and the availability of an exploit to abuse the vulnerability

gets shorter and shorter. So patch, patch and patch.

7. Stack-Based Buffer overflow defences

The most thorough defences against buffer overflow attacks are to properly code

software so that it cannot be used to smash the stack. All programs should validate all


29

input from users and other programs, ensuring that it fits into allocated memory

structures. Each variable should be checked to ensure that allocated buffers are capable

of holding this data. Additionally, security practitioners and system administrators should

carefully control and minimize the number of SUID programs on a system that users can

run. Only SUID programs with an explicit business need should be installed on sensitive

systems. Many stack buffer overflow attacks can be avoided by configuring the systems

in such a way that they do not execute code from the stack.

Web Applications: deploy (internet facing) web applications only into production after you have

tested them. Make sure your web applications are developed using a formal software developed tool.

The developer should assure that the web application is tested on at least the Open Web Application

Security Project (OWASP) top 10 web application security risks13.

In 2010, the largest web application risks where:

1. SQL injection

2. Cross-site scripting (XSS)

3. Broken authentication and session management

4. Insecure direct object references

5. Cross-site request forgery (CSRF)

6. Security misconfiguration

7. Insecure cryptographic storage

8. Failure to restrict URL access

9. Insufficient transport layer protection

10. Invalidated redirects and forwards.

Set adequate account policies: enable passwords or even better, enforce strong passwords and use

strong authentication methods like tokens, smart cards, or biometrics for remote access services.

Encrypt sensitive information. Use account lock out procedures and limit login attempts for all IT

environments, not only for production. Log failed account and access attempts into a log system and

review these logs on regular basis. Adjust your policy settings if needed.

Data validation and editing procedures

Data validation ensures that an application is robustly secured against all forms of input data, whether

obtained from the user, infrastructure, external entities or database systems.

Sequence checks: the control number follows sequentially and out-of-sequence or duplicated control

number are rejected or noted in an exception report for follow-up purposes. For example, invoices are

numbered sequentially. The day’s invoices begin with 12001 and end with 15045. If any invoice larger

than 15045 is encountered during processing, that invoice will be rejected as an invalid invoice number.

Limit check: data should not exceed a predetermined amount. For example, payroll checks should not

exceed €4.000. If a check exceeds €4.000, the data will be rejected for further

verification/authorization.

Range check: data should be within a predetermined range of values. For example, product type code

ranges from 100 to 250.

Validity check: programmed checking of the data validity according to predetermined criteria. For

example, a payroll record contains a field for marital status and the acceptable status codes are M or S.

Reasonableness checks: input data are matched to predetermined reasonable limits or occurrence

rates. For example, a widget manufacturer usually receives orders for no more than 20 widgets. If

there is an order for more than 20 widgets, the computer program should be designed to print the

record with a warning indicating that the order appears unreasonable.

13 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project


30

Table lookups: input data comply with predetermined criteria maintained in a computerized table of

possible values.

Existence checks: data are entered correctly and agree with valid predetermined criteria. For example,

a valid transaction code must be entered in the transaction code field.

Key verification: a separate individual using a machine that compares the original keystrokes to the

repeated keyed input repeats the keying process.

Check digit: a numeric value that has been calculated mathematically is added to the data to ensure

that the original data have not been altered or are incorrect, but valid, value substituted. This control is

effective in detecting transposition and transcription errors. For example, a check digit is added to an

account number so it can be checked for accuracy when it is used.

Completeness checks: a field should always contain data rather than zeros or blanks.

Duplicate check: new transactions are matched with previous input to ensure they have not already

been entered.

Logical relationship check: if a particular condition is true, then one or more additional conditions or

data input relationships may be required to be true and consider the input valid. For example, the hire

date of an employee may be required to be more than 16 years past his/her date of birth.

Data file control procedures

Before and after imaging: computer data in a file prior to and after a transaction is processed can be

recorded and reported.

Maintenance error reporting and handling: control procedures should be in place to ensure that all

errors reports are properly reconciled and corrections are submitted on a timely basis.

Source documentation retention: source documentation should be retained for an adequate time period

to enable retrieval, reconstruction of verification of data.

Internal and external labelling: internal and external labelling of removable storage media is imperative

to ensure that the proper data are loaded for processing.

Version update: for correct processing, it is critical that the proper version of a file is used and that it

the correct file.

Date file security: data file security controls prevent unauthorized access by unauthorized users whom

may have access to the application to alter data files.

One-by-one checking: individual documents agree with a detailed listing of documents processed by the

computer.

Pre-recorded input: certain information fields are pre-printed on blank input forms to reduce initial

input errors.

File updating and maintenance authorization: proper authorization for file updating and maintenance is

necessary to ensure that stored data are safeguarded adequately, correct and up to date.

Parity checking: (aka. vertical redundancy check) also involves adding a bit (aka the parity bit) to each

character during transmission. In this case, where there is a presence of bursts of errors (i.e.,

impulsion noise during high transmission rates), it has a reliability of approximately 50%. In higher

transmission rates, this limitation is significant.

Cyclic redundancy check (CRC) can check for a block of transmitted data. The workstations generate

the CRC and transmit this with the data. The receiving workstation computes a CRC and compares it to

the transmitted CRC. If both are equal, the block is assumed error free. In this case (such as in parity

error or echo check), multiple errors can be detected. In general, CRC can detect all single-bit and

bubble-bit errors.

Echo check: detect line errors by retransmitting data back to the sending device for comparison with

the original transmission.

Data integrity in online transaction processing systems (ACID)

Atomicity: from a user perspective, a transaction is either completed in its entirety (i.e. all relevant

database tables are updated) or not at all. If an error or interruption occurs, all changes made up to

that point are backed out.

Consistency: all integrity conditions in the database are maintained with each transaction, taking the

database from one consistent state into another consistent state.

Isolation: each transaction is isolated from other transactions and hence each transaction only accesses

data that are part of a consistent database state.


31

Durability: if a transaction has been reported back to a user as complete, the resulting changes to the

database survive subsequent hardware or software failures.

8. Password cracking defences

The first defence against password cracking is minimizing the exposure of

encrypted/hashed password files. A strong password policy is crucial to ensuring a secure

network. A password policy should require password lengths of at least 10 characters.

Users must be aware of the issue of weak passwords and be trained in creating

memorable, yet difficult to guess passwords.

Try and prevent your system administrators to work with their admin or root accounts on a regular and

daily basis. Get your system administrators to use a normal user account for their non-administrator

work. Rename the default admin or root account (if possible) and block default guest accounts. Choose

appropriate password policies and set a minimum password length, a password history and forbidden

password prefixes (123, 234, abc, bcd, etc.). Determine account lockout settings and deploy this, not

only to production, but also to the development, testing and the acceptance environments. Determine

the amount of logging information you need and review this on regular bases. Adjust your policy

settings if needed.

In contrast to normal users, you could adjust the administrator account policies, to enable strong

authentication by default for administrators. Log failed account and access attempts into a log system

and review these logs on daily basis. Adjust your policy settings if needed.

9. Backdoor Defences

The best defence against backdoor programs is that system and security administrators

know what is running on their machines, particularly sensitive systems storing critical

information or processing high-value transactions. If a process is suddenly running as the

super user listening on a port, the administrator needs to investigate.

A central SYSLOG server is used to transfer data from the local (system) log, on scheduled basis. Use

the APPEND-only-command. Take integrity measures. Perform log analysis on a regular basis; including

automated signalling to an administrator/manager.

10. Trojan horses and Root kit defences

To protect against Trojan horses, user awareness is key. Users must understand the risks

associated with downloading and running untrusted programs. The same goes for

running executable attachments in email from untrusted sources and visiting rogue web

sites. Computers should have an effective and up-to-date anti-virus program installed. To

defend against root kits, system and security administrators must use integrity checking

programs for critical system files. Unfortunately, kernel-level root kits cannot be detected

with integrity check programs, because the integrity checker relies on the underlying

kernel to do his work. If the kernel lies to the integrity checkers, the results will not show

in the root kit installation.


32

Scan regularly for Trojan horses, root kits and backdoors with internal scanners, but also with external

(commercial) scanners. If possible, use multiple species or types of scanners. For example, create

distinction between species and types of scanners for the "outer" (inter) network layer, the DMZ, the

(application) servers and work stations. Use integrity checking software. The best defence against

kernel-level root kits is a monolithic kernel that does not support loadable kernel modules. On critical

systems (Firewalls, internet web servers, DNS-servers, mail servers etc.) administrators should build

the systems with complete kernels without support for loadable kernel modules. With this

configuration, the system will prevent an attacker from gaining root-level access and patching the

kernel in real-time.


33

Epilogue So we’ve learnt that hacking is not dominating the news the past months. Hacking is of

all times and will probably never go away. Hacking will be even more dominant because

the crackers (yes, not the hackers) can easily earn big amounts of money with their

botnets, spam, ransom ware, drive-by-download infections and attacks on Internet facing

web applications. Secondly, the number of web users still increases every day, thus also

the number of potential victims and attack vectors increases every day.

In this white paper hackers and hacking are revealed. Who they are, what they do, what

types there are and how they do what they do. A hack comes in phases. By knowing all

this, prevention begins.

Identifying and analysing the attacks are the start of prevention. The information in this

white paper helps you to defend yourself or your company from hacking by using

preventive, detective, corrective and compensating counter measures.


34

Bibliography

Acknowledgement

of sources:

1. ir. Kees Hogewoning, ing. Gerrit Th. Lith, ing. Marco G.M. van der Kraan, Erwin A.J.

Verburg and others, 2007, "Internet Security, securing internet connected networks",

published by NGN (www.ngn.nl) and Vanveen informatica (http://www.vanveen.nl).

ISBN 978-90-71501-16-6.

2. Information Security Management Handbook, Fifth Edition, by Harold F. Tipton and

Micki Kraus, 2004, published by Auerbach publications , ISBN 0-8493-1997-8;

3. Govert 2011 presentation "Auditing the Hacker's mind: the Hacker's Profile Project

2.0", Raoul Chiesa, Senior Advisor on Cybercrime at Emerging Crime Unit (ECU),

United Nations Interregional Crime and Justice Research Institute (UNICRI).

4. Profiling Hackers: the Science of Criminal Profiling as applied to the World of Hacking,

ISBN 978-1-4200-8693-5-9000.

5. Hacking Exposed, Network Security Secrets & Solutions, 2004, by Stuart McClure, Joel

Scambray and George Kurtz, published by Osborne/McCraw-Hill, ISBN 0-07-212127-0

6. CHIP magazine, 2012, number 91, article 'Historical hackers', by Manuel Köppl and

Peter Marinus.

7. The Ten Biggest Legends of the Hacker Universe, http://voices.yahoo.com/the-ten-

biggest-legends-hacker-universe-369297.html , by Carlos Cabezas López.

8. The Hacker News, May 2011 - Issue 02 - Social Engineering Edition.

Credentials

(Websites):

1. National Cyber Security Centrum, https://www.ncsc.nl/

2. Security.NL, http://www.security.nl

3. Iusmentis, http://www.iusmentis.com/

4. General Intelligence and Security Service of the Netherlands,

https://www.aivd.nl/english/publications-press/press-releases/@2664/aivd-annual-

report/

5. Patch management by NCSC,

http://www.govcert.nl/dienstverlening/Kennis+en+publicaties/whitepapers/patch-

management.html

6. UNICRI Cybercrime Home Page, http://www.unicri.it/emerging_crimes/cybercrime/

7. The Ten Biggest Legends of the Hacker Universe, http://voices.yahoo.com/the-ten-

biggest-legends-hacker-universe-369297.html

8. Anonymous, http://www.indybay.org/newsitems/2010/12/09/18666107.php,

http://nl.wikipedia.org/wiki/Anonymous_(groep)

9. Lulzsec, http://en.wikipedia.org/wiki/LulzSec

10. OWASP Top 10, https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

11. Data Exfiltration, http://www.iamit.org/blog/2012/01/advanced-data-exfiltration/

http://www.ngn.nl/

http://www.vanveen.nl/

http://voices.yahoo.com/the-ten-biggest-legends-hacker-universe-369297.html


https://www.ncsc.nl/

http://www.security.nl/

http://www.iusmentis.com/

https://www.aivd.nl/english/publications-press/press-releases/@2664/aivd-annual-report/

https://www.aivd.nl/english/publications-press/press-releases/@2664/aivd-annual-report/

http://www.unicri.it/emerging_crimes/cybercrime/



http://www.indybay.org/newsitems/2010/12/09/18666107.php

http://nl.wikipedia.org/wiki/Anonymous_(groep)

http://en.wikipedia.org/wiki/LulzSec

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

http://www.iamit.org/blog/2012/01/advanced-data-exfiltration/

Documents

Hacking Revealed versie 2.0 UK Hacking revealed€¦ · and brag Script kiddie 10-18 years The script boy Group, but they act alone To give vent of their anger, attract mass media