Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Hacking Revealed versie 2.0 UK
1
Hacking revealed
A hacker's analysis: their victories, their history, the hack itself.
Can we see it happen? Can we defend our self against it?
Hacking Revealed versie 2.0 UK
2
References
1 SeKuRiGo is an independent company focusing on the cutting edge of organisation and IT, specialising in
information security management, identity and access management and IT-audit.
Author:
Company:
Date:
License:
T.L.P. Heinsbroek B.ICT CISSP CISA
SeKuRiGo1, http://www.sekurigo.nl
17th of October 2012
Attribution-Share Alike 3.0
Hacking Revealed versie 2.0 UK
3
Table of Contents
Preface .......................................................................................... 4
Hacking: an introduction ................................................................ 5
Hackers, crackers, phreakers and script kiddies ............................................. 5
Four generations ........................................................................................ 6
Cyber crime drivers .................................................................................... 6
Profiling Hackers ........................................................................... 8
First model ................................................................................................ 8
Second model ............................................................................................ 9
A history of hacking and hackers ................................................. 10
Famous hacks .......................................................................................... 10
Hacking matrix......................................................................................... 11
Famous hackers ....................................................................................... 12
The hack itself: objectives and methods ...................................... 15
Objectives ............................................................................................... 15
Ethical hacking ......................................................................................... 17
Social Engineering .................................................................................... 18
Phases of a hack (or how it works) .............................................. 20
Foot Printing ............................................................................................ 20
Scanning ................................................................................................. 20
Enumeration ............................................................................................ 21
Gaining Access ......................................................................................... 21
Escalating privilege ................................................................................... 22
Pilfering .................................................................................................. 22
Covering tracks ........................................................................................ 22
Creating backdoors ................................................................................... 23
Prevention: how not to get hacked .............................................. 24
General counter measures ......................................................................... 24
Identifying the hack .................................................................................. 26
Specific measures: top 10 defences ............................................................ 27
Epilogue ....................................................................................... 33
Bibliography ................................................................................ 34
Hacking Revealed versie 2.0 UK
4
Preface Hacking, it seems to dominate the news recently. Comodo, Stuxnet, Diginotar,
Anonymous, Luzsec, Duqu, the KPN hack, the infected websites weeronline.nl and nu.nl,
the Flashack-botnet and Flame, they were all in the news. Question is, is hacking really
so dominant at the moment? Or do these hacks just get a lot of media exposure? Let’s
put it this way: is hacking a new phenomenon or is hacking of all times?
In this whitepaper I will argue that hacking is not new, that it is mostly the media
attention and the openness of breached organisations that gives us the idea that hacking
is dominating the news. I will also explain types of hackers and what their reasons and
objectives are for doing what they do. I will explain the difference between (professional
and governmental) hackers, crackers, the wannabes and script kiddies, and also give a
brief insight into techniques, such as social engineering, installing Trojan horses,
backdoors, zero days exploits, using maintenance hooks, port scanning and enumeration.
I will provide information from scientific research by the United Nations Interregional
Crime and Justice Research Institute (UNCRI), which shows that hacking is of all times
and has evolved in the course of forty years. I will present the hackers profile, a model to
identify the hackers by their modus operandi. With this model an organisation can
identify the hacker behind a hack.
The fact that hacking is not new does not mean it isn’t dominant. There is, after all, a
downside to it: many Internet facing websites are still vulnerable for hacking and do not
have any defence against one or more vulnerabilities, such as SQL injection. Therefore I
will explain the hack itself and last but certainly not least I will supply information that
helps you identify and analyse an attack and defend yourself through implementing
preventive, detective, corrective and compensating counter measures.
Hacking Revealed versie 2.0 UK
5
Hacking: an introduction
Hackers, crackers, phreakers and script kiddies
Hackers come in many forms and types and have different reasons for doing what they
do. There are, roughly, four groups of hackers. Let me explain those.
A hacker sees himself as someone who wants to learn how computer systems and
security work. His goal is to collect knowledge about security and systems. He doesn’t
intend to damage. A hacker basically wants to learn. He or she uses this knowledge to
evaluate (computer) security. A hacker performs security assessments to find out if the
tested software is vulnerable to (unknown) exploits or has backdoors and trapdoors
installed. If a hacker finds miscoded software functions, he is willing to reveal his findings
to the owner of the software.
An ethical hacker is a hacker performing hacks on demand, i.e. someone asks him to
perform these tests. He (or she) is bound within the constraints of a pre-determined
contract between the ethical hacker and the sponsor or organisation.
Besides hackers there are the so-called crackers. Crackers are criminal subjects. Their
motives are not as noble: brand recognition (UseNet, dark-hacker scene, IRC channels),
personal gain and vindictive acts. The crackers are the ones who wreak the most havoc.
They specialise in causing damage, robbing information, deactivating software protection,
entering restricted security areas or programming viruses. In the hackers world hackers
are denoted white hats and crackers are black hats2
Phreakers are responsible for exploring the farthest reaches of the telephone networks,
using technology to manipulate frequencies. They aim to make free calls to any part of
the world and sometimes break into important centres. Currently, phreakers aim at
mobile phones, wireless technology and VoIP (Voice over Internet Protocol).
At the bottom of the list we have what we call the 'want to be lamer' and script kiddies.
These are hackers that do not have much knowledge (yet) and they make use of publicly
available tools, which often can be found on the Internet. They totally rely on these freely
available tools and therefore do not acquire any knowledge of the underlying network
infrastructure. They pick their targets randomly through Usenet or IRC channels.
Sometimes script kiddies launch attacks for specific Microsoft OS environments at a UNIX
OS environment. Examples are website defacing, Ping of Death, Distributed Denial of
2 This originates from the old black and white Western movies, where the good guys wore a white hat and the bad guys wore a black hat.
Hacking Revealed versie 2.0 UK
6
Services (DDoS) and LOIC (Low Orbit Ion Canon), all based on tooling, not on
knowledge.
While the cracker focuses on 'hacking on demand' and organized crime, the ethical
hacker focuses on security research, finding zero-day-exploits and selling his findings to
the owner or vendor.
At the top of the hackers list, we find the professional hackers: the cyber-warrior, the
industrial spy, the government agent and the military hacker. Driven by angriness,
espionage, sometimes even by governmental agencies, they tend to attack the Internet
infrastructure in other countries or private (symbol) companies. They use hacking tools
and techniques to gain access to sensitive information, to disrupt industrial facilities, but
also use it to perform criminal behaviour (one line pharmacy, etc.).
Four generations
The first generation of hackers (1970's) was inspired by the need for knowledge. They
mainly wanted to find out how computers work. This was (in those years) a very new
technology and the only way to find out more about it, was by literally looking into the
computer's hardware and software.
The second generation of hackers (1980-1984) was driven by curiosity. They wanted to
figure out how operating systems and network components actually worked. The only
way to learn this was by hacking them. In the late 80's hacking becomes a trend.
The third generation of hackers (1990's) was simply pushed by the anger for hacking: a
mix of addiction, curiosity, learning new stuff, hacking IT systems and networks and
exchanging information with the underground community. During this period, new
concepts such as hacker's magazines, e-zines and electronic bulletin boards come to
exist.
The fourth generation of hackers (2000 up until today) is mostly driven by angriness and
money. We often see subjects with very low know-how assuming that it's cool & bragging
to be a hacker. These hackers are hardly interested in the history of hacking and
phreaking or in its culture and ethics. This is though where hacking meets with politics
(cyber-hacktivism, occupy) and with the criminal world (cyber crime).
Cyber crime drivers
The number of computer users, websites, web users and so on still grows every day and
so the number of potential victims and attack vectors increases every day. Due to
broadband Internet the use of powerful hacking tools and techniques stays unnoticed and
hides itself within the normal Internet traffic. This drives the hacker. Another major drive
Hacking Revealed versie 2.0 UK
7
is making money, sometimes a lot of money. It is known that some botnets-herders earn
more money in one day than normal employees in a month.
A technical driver for cyber crimes is the public availability of hacking tools and
techniques. High volumes of trade are to be found at the underground or black markets
where you can buy names and IP-numbers of hacked victims, zero day exploits, botnets
for lease, ready to use attacks and stolen credit cards numbers. Due to the current
hacking exposure (bragging, personal gain) it is easy to recruit youngsters and create
groups to then mould into crackers and criminals. The final driver for hacking is the very
low chance of getting caught. This attracts even more adepts to recruit.
Hacking Revealed versie 2.0 UK
8
Profiling Hackers In 2004, a team of researchers started the so-called Hackers Profiling Project (HPP): a
theoretical collection of evidence and observations in the IT underground security. This
project led to a classification database, which was checked against the original theoretical
model that defined hacker's profiles.
First model
The researchers drafted a model and then combined this first model with real evidence
such as convictions as well as with actual observations of the real hackers world. The
first model, which was purely theoretical, was published to raise awareness. In the same
period the book3 was published.
Profile Rank Impact level Target
Want to be lamer
Amateur
Null End-user
Script kiddie
Low SME Specific security
flaws
Cracker
Hobbyist
Medium High Business company
Ethical Hacker
Medium Vendor Technology
Quiet, paranoid, skilled hacker
Medium High On necessity
Cyber-Warrior
Professional
High "Symbol" Business
company
End-user
Industrial Spy
High Business company Corporation
Government agent High Government
Suspected
terrorist
Strategic Company
Individual
Military Hacker
High Government Strategic
company
3 Profiling Hackers: the Science of Criminal Profiling as applied to the World of Hacking, ISBN 978-1-4200-8693-5-9000.
Hacking Revealed versie 2.0 UK
9
Second model
In 2005 and 2007 some dramatic changes were witnessed within the hacking
underground scene. Changes concerned moods, new actors and an increase of organized
crime involvement and information warfare. These observations led to a second model
that was more than just theoretical. This model made it possible to profile hacks and to
define methods of defence based on the experience and technology level of the hacker.
Profile Offender ID Lone/Group
Hacker
Motivations/Purpose
Wanna be lamer 9-16 years, "I would
like to be a hacker, but
I can't"
Group For fashion, it's cool => to boast
and brag
Script kiddie
10-18 years
The script boy
Group, but they
act alone
To give vent of their anger,
attract mass media attention
Cracker
17-30 years
The destructor, burned
ground
Lone To demonstrate their power /
attract mass media attention
Ethical Hacker
15-50 years
The 'ethical' hacker's
world
Lone, group only
for fun
For curiosity, to learn and
altruistic purposes
Quiet, paranoid,
skilled hacker
16-40 years
The very specialized
and paranoid hacker
Lone For curiosity, to learn => egoistic
purposes
Cyber-Warrior 18-50 years
The soldier, hacking for
money
Lone For profit
Industrial Spy
22-45 years
Industrial espionage
Lone For profit
Government
agent
25-45 years
CIA, Mossad, FBI, etc.
Lone/Group Espionage /
counter-espionage, vulnerability
test, activity monitoring
Military Hacker
25-45 years Lone/Group Monitoring / controlling crashing
systems
Hacking Revealed versie 2.0 UK
10
A history of hacking and hackers
OK, so now we’ve got an idea of the hacker’s world and we know a bit more about the
persons behind the masks. This leaves us with the following questions: is hacking a new
phenomenon? Or does it just attract more media exposure?
Famous hacks
According to a recent article4 in a Dutch computer magazine called CHIP, hacking is not
new. This article states that a very first hack was already performed in 1184 BC when the
famous Trojan horse was left at the beach. And there are way more historic hacks such
as for example the cracking of the Enigma code and recent cyber attacks. Below an
historic overview of famous hacks is given:
Date Name Hack
1184 BC Trojan horse A Greek attack force hidden in a wooden horse, left at the beach.
Later, this became the synonym for malicious software code.
1939 Enigma International team of cryptologists cracks the German Enigma code.
1961 Space War Steve Russell programmes code for the first computer game called
Space War on a research computer at MIT university.
1971 Blue Box John T. Draper manages to control the AT&T voice response dialling
system with a simple whistle. After this, the Blue Box programme is
developed to conduct free telephone calls.
1984 Btx-hack The Computer Chaos Club (CCC) steals € 135.000 by breaking
through the security of the Bildschirmtextsystem. One day later, they
return the money.
1988 Morris-worm Robert Tappan Morris codes the first computer worm programme at
the age of 23.
1993 Green Building MIT students create a giant decibel meter at their student flat building
on the campus
1999 DeCSS A 15 year (!) old Norwegian, Jon Lech Johansen, cracks the
cryptographic code of DVD's.
2000 I Love You This computer worm, wrapped in an 'I love you' message spreads
across the world and causes billons of damage.
2007 Estonia Cyber attacks launched at the Estonian department, the parliament,
the banking systems and the media.
2010 Stuxnet A computer worm specifically constructed to attack industrial IT
infrastructures. The worm targeted Iranian nuclear power plants and
industrial software used for enriching uranium. While no one in
government came forward to claim responsibility for Stuxnet, those
on the front lines of IT security are 100% certain it was a government
4CHIP magazine, 2012, issue 91, from the article 'Historic Hackers', by Manuel Köppl and Peter Marinus.
Hacking Revealed versie 2.0 UK
11
agency who created it, like cryptologists at the National Security
Agency of the U.S. or a similar organization in Israel and the UK.
2010 Kinect Xbox 360 fans, not willing to wait until the official launch of the new
Kinect hardware, develop programming code to simulate the Kinect.
2011 PSN-hack During several hacks at the Sony PlayStation Network more than
1000 credit card details of customers are stolen. After the online
PlayStation Network (PSN) had been down for a week, Sony finally
came out and admitted "user account information was compromised
in connection with an illegal and unauthorized intrusion into our
network."
2011 DigiNotar On 29 August 2011 it became known that a fraudulent DigiNotar
security certificate was issued for Google.com, as a result of an
intrusion, which finally led to the bankruptcy of DigiNotar
2011 Duqu The next generation of Stuxnet. This super Trojan virus is likely the
brainchild of a government security apparatus.
2012 Cyber war According to many IT-security experts, cyber attacks performed by
governments or governmental agencies will focus on energy IT
infrastructures as well.
2012 Flame Developed by professional software developers. Advanced
architectural design, scripting language called Lua, which allows the
attackers to create custom modules for the threat. It contains an
SQLite database used to collect and store information.
Hacking matrix
An historic overview of famous hacks is nice, but an interesting question is: what impact
do these hacks have? Do they all have the same massive and destructive impact, or can
we distinguish a level of impact and innovative character? The Institute of Electrical and
Electronics Engineers5 (IEEE) created the so-called "Hacking Matrix"6 to rank the above-
mentioned hacks according to their impact and innovative character. They took 25 of the
biggest and best stories and assessed them along two dimensions: impact and
innovation. This model shows that the hacks can be placed in (roughly) four categories:
5 IEEE, a non-profit organization, IEEE is the world's largest professional association for the advancement of technology. 6 http://spectrum.ieee.org/static/hacker-matrix
Hacking Revealed versie 2.0 UK
12
Hacking matrix
Famous hackers
Now that we know the hacks and their impact, let’s have a look at the hackers
themselves. In his article 'The ten biggest legends of the hacker universe' 7 , Carlos
Cabezas López has drafted a list of the persons behind the hacks. I personally added two
more recent and famous hackers (collectives) to the list: Anonymous and Lulzsec.
7 The Ten Biggest Legends of the Hacker Universe, http://voices.yahoo.com/the-ten-biggest-legends-hacker-universe-369297.html
Flame? /
Duqu?
Hacking Revealed versie 2.0 UK
13
Name Hack
Kevin Mitnick
Known world wide as the "most famous hacker" and also for being the first to
serve a prison sentence for infiltrating computer systems. He started dabbling
when he was a minor, using a method known as phone phreaking. Although he
has never worked in programming, Mitnick is totally convinced that you can
cause severe damage with a telephone and some calls. These days, totally
distanced from his old hobbies and after passing many years behind bars, he
works as a security consultant for multinational companies through his
company "Mitnick Security."
Gary McKinnon This 41-year-old Scotsman, also known as Solo, is the perpetrator of what's
considered the biggest hack in the history of computer science - into a military
system. Not satisfied with this, in the years 2001 and 2002, he made a
mockery of the information security of NASA itself and the Pentagon. Currently
he is in prison and is prohibited access to a computer with Internet connection
Vladimir Levin This Russian biochemist and mathematician was accused of having committed
one of the biggest bank robberies of all times by means of the cracking
technique. From St Petersburg, Levin managed to transfer funds estimated at
approximately 10 million dollars from Citibank in New York to accounts he had
opened in distant parts of the world. Interpol arrested him in 1995 at Heathrow
airport (UK). Although he managed to rob more than 10 million dollars, he was
only sentenced to three years in prison. Currently he is a free man.
Kevin Poulsen Today he may be a journalist who collaborates with authorities to track
paedophiles on the Internet, but Poulsen has a dark past as a cracker and
phreaker. The event that brought him the most notoriety was taking over Los
Angeles phone lines in 1990. A radio station was offering a Porsche as a prize
for whoever managed to be caller number 102. It goes without saying that
Poulsen was the winner of the contest.
Timothy Lloyd In 1996, information services company Omega, provider of NASA and the
United States Navy, suffered losses of around 10 million dollars. And it was
none other than Tim Lloyd, a former employee who got fired some weeks
earlier, who caused this financial disaster. Lloyd left a virtually activated
information bomb in the company's codes, which finally detonated on July 31 of
that same year.
Robert Morris Son of one of the forerunners in the creation of the virus, in 1988 Morris
managed to infect no fewer than 6,000 computers connected to the ArpaNet
network (one of the precursors to the internet). He did this from the
prestigious Massachusetts Institute of Technology (MIT). For his criminal
activities he earned a four-year prison sentence, which was finally reduced to
community service.
David Smith Not all hackers can boast on creating the virus that spread the fastest to
computers the width and breadth of the globe - David Smith can. In 1999, the
father of the Melissa virus managed to infect and crash 100,000 email accounts
Hacking Revealed versie 2.0 UK
14
with his malicious creation. Smith, who was thirty years old at the time, was
sentenced and freed on bail.
MafiaBoy In February of 2000, many of the most important online companies in the US,
such as eBay, Yahoo and Amazon, suffered a technical glitch called Denial of
Service, which caused a total of 1700 million dollars loss. But did these sites
know that the perpetrator of the attack was a 16 year-old Canadian who
responded to the alias MafiaBoy? Surely not, although it didn't take them long
to find out, thanks to his bragging about his bad deed to his classmates at
school.
Richard
Stallman
Since the early 80’s when he was a hacker specializing in artificial intelligence,
this hippie-looking New Yorker has been one of the most active militants in
favour of free software. At MIT he firmly opposed to the privatization of the
software used by the institute's laboratory. He created what today is known as
GNU and the concept of CopyLeft. Popular systems like Linux utilize the GNU
mode and Stallman is currently one of the gurus of software democratization.
Masters of
Deception
(MoD)
MoD was a New York cyber-gang that reached its apogee in the early 90s.
Under the cover of different aliases, its biggest attacks involved taking over
telephone lines and centres of the Internet, then still in its infancy. During this
time McD starred in the historic "battles of the hackers," along with other
groups like the Legion of Doom (LoD), as they sought to destroy each other
until the computers couldn't take it anymore.
Anonymous
collective8
Hello World. We are Anonymous. What you do or do not know about us is
irrelevant. We have decided to write to you, the media, and all citizens of the
free world to inform you of our intentions, potential targets, and our ongoing,
active campaign for the freedom of information exchange, freedom of
expression, and free use of the Internet.
Lulzsec9
Lulz Security, commonly abbreviated as LulzSec, was a computer hacker group
that claimed responsibility for several high profile attacks, including
compromising Sony Pictures user accounts in 2011. The group also claimed
responsibility for taking the CIA website offline. Some security professionals
have commented that LulzSec has drawn attention to insecure systems and the
dangers of password reuse. Lulzsec gained attention due to high profile targets
and sarcastic posted in the aftermath of their attacks. One of the founders of
LulzSec was a computer security specialist who used the online moniker Sabu.
The man accused of being Sabu has helped law enforcement track down other
members of the organization as part of a plea deal. At least four associates of
LulzSec were arrested in March 2012 as part of this investigation. British
authorities had previously announced the arrests of two teenagers they allege
are LulzSec members: T-flow and Topiary.
8 http://www.indybay.org/newsitems/2010/12/09/18666107.php, http://nl.wikipedia.org/wiki/Anonymous_(groep) 9 http://nl.wikipedia.org/wiki/LulzSec
Hacking Revealed versie 2.0 UK
15
The hack itself: objectives and methods Now that we have an understanding of hackers, hacking, phreaking and cracking and the
impact they can cause including in some case destructive consequents, it is time to dig a
little deeper and find out more about the actual hack itself, the objectives and the
methods.
We distinguish to types of hacks: the ‘normal’ hack and the so-called ethical hack. Law
forbids a ‘normal’ hack. An ethical hack however is a hack on demand: the demander and
the hacker are abided by a mutual agreed contract.
The main purpose of a hack is gaining access to IT systems, resources or sensitive
information. To achieve this, the hacker will try to get administrator or root access rights.
With these access rights he can fully control the network or system. He can cover his
tracks, create backdoors and jump forward to new victims.
Objectives
In general, there are two objectives for hacking. The first objective is to create a botnet
and use this botnet for SPAM runs or DDoS attacks. The second objective is to hack into
a system to find sensitive information and exfiltrate that information by normal IT
communication means or by convert network channels.
Botnet
A botnet consists of a large group of infected computers. The botnet virus is hiding on
the victim's computer and tries to remain unnoticed. The botnet virus may present a fake
result to antivirus software by making the antivirus software think the computer is not
infected. Besides this, the botnet virus makes itself available for the creation of new
viruses. After successful infection, the victim's computer is part of the botnet and known
as a zombie-computer or bot. Bots and botnets are a common form of Internet crime and
a powerful means for hackers. Botnets can be small and consist a few hundred-zombie
computers, but some botnets actually consist of hundreds of thousands of zombies.
SPAM is a collective name for unsolicited (email) messages and also for unwanted
junk email advertisements on websites. Spam differs from other forms of commercial
communication because a message is sent to a group that is much larger than the
potential audience. Characteristics of SPAM message are:
Sent in large quantities. Up to (100) thousands of people simultaneously.
Commercial purpose. A reference in a SPAM message typically includes a product
or website.
Hacking Revealed versie 2.0 UK
16
Sent or posted without the permission or knowledge of the owner, or without prior
consent of the receiver.
The idea behind a SPAM message is to lure the victim to a bogus website where a
dropper installs malicious software code or to persuade the victim to open a bogus
attachment, which installs the malicious software.
DDoS: Denial-of-Service attacks (DoS) and Distributed Denial-of-Service attacks
(DDos) are attempts to disable or disrupt computer services for the intended users.
The difference between a Dos and a DDos attack is that the latter carries out attacks
from multiple computers simultaneously, often a botnet. It can also include multiple
individuals who coordinate their actions (the so-called Anonymous movement). The
motive remains the same: disabling or disrupting the computer services for the
intended users.
The most often executed network-based Denial-of-Service attacks fall into two
categories: malformed packet attacks and packet floods:
Malformed packets attacks: these attacks usually involve one or two packets that
are formatted in an unexpected way. If the software handles such errors poorly,
the system may crash when it receives a packet.
Packet Floods: these attacks send a deluge of traffic to a system on the network
overwhelming its capability to respond to legitimate users. Attackers have devised
numerous techniques for creating such floods, with the most popular being SYN
floods, directed broadcast attacks and distributed Denial-of-Service tools.
Data exfiltration
In computing terminology, exfiltration refers to the unauthorized release of data from
within a computer system. This includes copying data through covert network channels
or copying data to unauthorized media.
Organisations try to build their infrastructure in such a way that sensitive information is
protected and people with wrong intentions are kept out. However, once hackers have
hacked into your IT infrastructure, there are quite a few methods for retrieving sensitive
information, even encrypted information. Methods of exfiltration are:
Using permitted protocols, usually Domain Name Services (DNS) traffic and Hyper
Text Transfer Protocol (HTTP) traffic to send out information. The data itself may
be sensitive and filtered by Data Leakage Prevention (DLP). Therefore, the
attacker encrypts sensitive information using his public key and sends out the
Hacking Revealed versie 2.0 UK
17
data through services such as Dropbox, Facebook, Twitter, blog comments and
posts. Often these services are not filtered by the organisation control
mechanisms and are easy to set up if needed.
Printing is another method of exfiltration. Encrypted information is send to a
company printer. Such printouts are likely to end up in the paper bin rather than
the shredder. Old school dumpster diving is used to retrieve these documents
afterwards. Such documents just need to be OCR’d after their retrieval and
decrypted to reveal the sensitive data that has been stolen.
An alternative to printing encrypted data is using devices with fax-capabilities.
The last method to exfiltrate data is through using a company's Voice over IP
(VoIP) network. VoIP networks are usually accessible from the local network.
Sensitive information is changed from its binary format to an audio format and
sent out through the VoIP network.
Ethical hacking
Ethical hacking is to look at the IT infrastructure of an organisation through the eyes of a
hacker. The objective is to test the strength of the security of the target. Usually ethical
hacking is carried out on the basis of prior arrangements on how to deal with identified
weaknesses. These may vary from just reporting to actually exploiting the weakness.
By the way: a hacker who contacts your company with saying he has carried out an ethical
hack and identified some security weaknesses he wants to discuss with you is just a
(criminal) hacker and punishable according to article 138ab (Dutch Law) of the criminal
code".
There are several methods for performing an ethical hack:
White box testing: the hacker receives information about the target in advance.
Black box test: the hacker has not received information about the target in advance.
Grey box testing: a combination of white box en black box testing.
It is important to make solid arrangements and a legal contract with the ethical hacker
before any test is conducted. These arrangements should at least include:
Captured and signed agreements on targets, times, contacts, alerts and
responsibility.
Adopted and signed waiver and authorization documents.
Adopted and signed agreements on archiving, destruction and the retention period of
observations.
Hacking Revealed versie 2.0 UK
18
Remember: when you hire an ethical hacker to perform a security test of IT environment,
things can go wrong: servers may go down, network components may power down and
(sensitive) information could get deleted or modified. It is important to have a business
continuity plan or at least a (tested) full back up stored at a secure place, before conducting
any penetration test.
Social Engineering
Social engineering10 is a psychological attack vector rather than a technical one. It is the
human side of breaking into corporate or personal PC's to gain information. Social
engineering is a way to induce the weakest link (humans) to do something or to give
away sensitive information that is not actually needed or necessary. Every company,
even those in possession of an authentication process, firewall, VPN's and network
monitoring software, are subject to the skill of a good social engineer. Where hacking
much relies on technical skills, social engineering relies more on persuading skills: the
social engineer tries to get his subject to tell him what he wants to get into the system.
In most cases, the social engineer does not come face to face with his target. Social
engineering exploits the attributes of the human decision-making process known as
cognitive biases. Social engineers use different techniques, an overview:
Pre-texting: creating a false scenario to make a targeted victim feel comfortable
enough to give information. This technique includes more than simple lying. In some
cases an authoritative and earnest sounding voice does the job, but often it includes
impersonating an individual the targeted victim trusts and believes has the right to
get the information asked for.
Diversion theft: the social engineer’s goal is to divert goods to a different location.
Here fore he persuades an administrator or the personnel of a transport or courier
company to issue instructions to the driver to redirect the consignment or load.
Phishing: this is a popular email fraud technique to obtain private information. An
email is sent from what appears to be a trustworthy organisation and the message
often includes some sort of warning of consequences if the recipient does not provide
personal information. Phishing sometimes involves websites that resemble the
website of a legitimate organisation to convince targets that it is OK to provide
financial or personal information.
IVR or phone phishing: the idea is the same as normal phishing but in this case
intended targets are asked – through and email or letter from what seems to be a
trustworthy entity – to phone them. Phone phishing is also called vishing.
Baiting: a technique like the real-world Trojan Horse that uses physical media and
relies on the curiosity or greed of the victim. The social engineer leaves a malware
10
The Hacker News, May 2011 - Issue 02 - Social Engineering Edition
Hacking Revealed versie 2.0 UK
19
infected media device in a location sure to be found, gives it a legitimate looking and
curiosity-piquing label, and simply waits for the victim to use the device. Once the
media device is inserted it installs malware giving the engineer unfettered access to
the targets pc or internal network.
Quid pro quo: simply “something for something”. In other words: the social engineer
calls the targeted victim and offers something, maybe money, chocolates,
merchandise in exchange for passwords or other personal information.
Social engineers are not just technical. They know how to make use of human
weaknesses such as: an awe of authority, sympathy with the "problems" of the other,
empathy or sensitivity to charm, wanting to do something in return and sensitivity to
pressure and urgency.
The attack plan and phasing is very similar to that of a technical attack. A large part of
the needed timeframe resides in the first phase, the preparation (foot printing) and
winning the trust of the victim. The following phase is to determine the strategy or attack
plan.
The main measure against social engineering is to create an overall security awareness program. Train
your users on a regular basis and test the effectiveness of your plan by performing resistance tests
such as a penetration test, the use of mystery guests and online test programs.
Hacking Revealed versie 2.0 UK
20
Phases of a hack (or how it works)
Now that we know the methods and objectives of a hack and gained some insight on
what techniques are used for hacking, it is time to look into the hack more detailed.
Hacks are usually built up in steps or phases. These phases, eight in total, I will discuss
below.
Foot Printing
The aim of foot printing is to obtain general information about the target through publicly
available information that is found on public web pages, in telephone directories, yellow
pages, or from the Chamber of Commerce directory. Useful information can be employee
names, addresses, telephone numbers, function names and organisation schemes. This
information will be used in the actual hack, or during a social engineering attack method.
Objective: to find out as much as possible about the intended target such as address
ranges and naming acquisition. This gathering of information is essential prior to a
surgical attack. The key here is not to miss a thing.
Techniques: Open and public available source searches (Pipl, Google, Facebook, Hyves),
Whois queries, and DNS zone transfers.
Tools: Usenet, Sam Spade, UNIX clients, ARIN database.
A special focus during the foot-printing phase lays on specific ICT information, online
vacancies, names of (IT) managers, information about IT systems, networks and
applications. Hackers often use underground communication channels such as Usenet,
IRC channels and automated tools like Whois, Netcraft and Google. This phase can take
up to 80% of the total time needed to conduct the hack. The more time a hacker spends
on foot printing, the more detailed information he will have to pinpoint the weakest spots
and the greater his chance for success.
Scanning
Scanning concerns determining hosts, scanning for open ports, determining service and
their software versions. The information from the foot-printing phase is used for
scanning.
Objective: bulk target assessment and identification of listening services focuses the
attacker's attention on the most promising avenues entry.
Techniques: Ping sweep, TCP and UDP portscans
Tools: Nmap, scan.exe, fping, bindview, webtrends, ws_ping propack
Hacking Revealed versie 2.0 UK
21
There are four types of scans:
1. IP scan: to scan a range of IP addresses systematically.
2. Port scan: setting up a connection to an application that listens in on a particular port.
3. Finger printing: used to determine what software version the identified hosts runs.
4. Banner info: some applications give away information in so-called banner information.
Enumeration
Enumeration is deployed to prepare a detailed map showing all the (network) targets and
their reactions to the scans. Enumeration utilities are used to extract users, groups, and
file and share permissions directly from Windows.
Objective: more intrusive probing now begins as the attacker is identifying valid user
accounts or poorly protected resources shares.
Techniques: List user accounts, list file shares, identify applications
Tools: DumpACL, NULL sessions, Onsight Admin, Show MOUNT, NAT, Banner grabbing
with Telnet or netcat, rpcinfo, and the use of built-in Windows programs (Windows 9x
and later versions), such as nbtstat, netstat, net after gaining command prompt.
Gaining Access
In this phase, the purpose is to gain access to IT resources, accounts and/or information.
This can only succeed if the proper access rights are obtained. Obtaining access may also
include social engineering techniques or the use of exploits. The hacker’s goal is to get
admin or root privileges. With sufficient access rights, he can install root kits and Trojans
to preserve access to the systems. Trojan horses rely on deception - they trick a user or
system administrator into running them for their (apparent) usefulness - but their true
purpose is to attack the user's machine. Root kits allow an attacker who already has
super user access to keep that access by foiling all attempts of an administrator to detect
the invasion.
Objective: At this point, the hacker has enough data to make an informed attempt to
access the target.
Techniques: Password eavesdropping, file share brute force, password file grab, buffer
overflows
Tools: TCPdump, l0phtcrack, NAT, Legion, tftp, pwdump, ttdb, IIShack
Hacking Revealed versie 2.0 UK
22
Escalating privilege
The purpose of escalating privilege is to gain access to IT resources, accounts and/or
information, just as in the previous phase. This time however the attacker will seek full
control of a system with as the ultimate goal owning the IT infrastructure.
Objective: the attacker will now seek to gain complete control of the system. If he
succeeds, he actually owns your IT infrastructure.
Techniques: password cracking, know exploits.
Tools: crack, l0phtcrack, rdist, getadmin, and sechole.
Pilfering
The purpose of the pilfering phase is to get access to trusted systems and sensitive
information. This phase combines the outcomes of the previous phases with new
information about trusted systems and locations of sensitive information.
Objective: to identify mechanisms to gain access to trusted systems and sensitive
information.
Techniques: evaluate trust, search for clear-text passwords.
Tools: rhosts, LSA secrets, user data, configuration files, registry.
Covering tracks
A hacker wants to keep control over his victims and therefore needs to cover his tracks.
Often he does this by manipulating the log system.
Objective: trap doors lay in various parts of the system to ensure that privileged access
easily regained at the whim of the intruder.
Techniques: create rogue user accounts, schedule batch jobs, infect start-up files, plant
remote access services, install monitoring mechanisms, and replace apps with Trojans
Tools: members of the wheel, administration, CRON, AT, rc, Start-up folder, registry
keys, netcat, remote.exe, VNC, keystroke loggers, add account, mail aliases, login,
fpnwclnt.dll
A way to prevent being discovered is using covert channels and manipulating or
concealing regular communication or bypassing existing measures. The hacker
manipulates the log system, which he disables completely, creates false log entries, or by
adjusting the log levels.
Hacking Revealed versie 2.0 UK
23
Creating backdoors
When a hacker has gained access, he needs to ensure he can return "unseen". He
therefore installs a backdoor or root kit. A backdoor is a small program that bypasses
traditional security checks on a system, allowing an attacker to gain access to a machine
without providing a system password and getting logged.
Objective: identifying mechanisms to gain access to trusted systems and sensitive
information
Techniques: evaluate trust, search for clear-text passwords.
Tools: rhosts, LSA secrets, user data, configuration files, registry.
Hacking Revealed versie 2.0 UK
24
Prevention: how not to get hacked
Probably the most valuable information on hacking is information about prevention. How
not to get hacked? How to indentify a hack? That is what this chapter is about. I will
supply information about general counter measures and specific counter measures.
General counter measures
Counter measures come in different forms and must be implemented according with their
objective. Counter measures can be:
Directive: actions taken to cause or encourage a desirable event to occur. Directive
controls are broad in nature and apply to all situations.
Preventive: to detect problems before they arise. Attempting to predict potential
problems before they occur and making necessary adjustments.
Detective: to detect and report the occurrence of an error, omission or malicious act.
Corrective: to minimize the impact of a threat; remedy problems discovered by
detective controls, identify the cause of a problem and correct errors arising from a
problem;
Compensating: to compensate for measures that are not effective. If they help to
achieve the control objective and are cost-effective, they are considered adequate.
Class Examples
Directive Organisational structure
Policies
Procedures
Management directives
Guidance statements
Circulars
Job descriptions
Preventive Timely reconciliation of accounts
Restricted areas, money safes, controls over night collections
Plans, goals, budgets, and comparison of the actual with budgets
Procedure manuals
Adequate checks on employment background for all new employees
Employing only qualified personnel
Segregate duties (deterrent factor)
Controlling access to physical facilities
Use well-designed documents (prevent errors)
Establish suitable procedures for authorization of transactions
Complete programmed edit checks
Using access control software that allows only authorized personnel
to access sensitive data
Hacking Revealed versie 2.0 UK
25
Use encryption software to prevent unauthorized disclosure of data
Detective Perform an aging analysis of account receivable accounts
Establish inspection procedures for incoming materials
Have the personnel department authorize the hiring of all employees,
set pay levels and pay rate changes
Ensure existence of management approvals, dual controls, system
access controls, supervisory review
Implement an work order system to track maintenance costs
Use pre-numbered checks
Require all employees to take annual vacation
Conduct periodic audits
Hash totals
Check points in production jobs
Echo controls in telecommunication
Error messages over tape labels
Duplicate checking of calculations
Periodic performance reporting with variances
Past-due account reports
Review of activity logs to detect unauthorized access attempts
Corrective Contingency planning
Backup and recovery procedures
Rerun procedures
Error detection and resubmission
Audit trails
Discrepancy reports
Error statistics.
Compensating Batch control reconciliations
Transaction logs
Reasonableness tests
Independent reviews and audit trails, such as console logs, library
logs and job accounting dates
Sequence checks and check digits
Retention of source documentation
Hacking Revealed versie 2.0 UK
26
Identifying the hack
Identifying aims to discover hackers, preferably before the actual hack occurs and
includes the sub processes auditing and security monitoring. Auditing focuses on finding
vulnerabilities and ineffective controls and security monitoring aims at detection of
deviation.
Auditing
Vulnerability scanners are tools for real-time auditing. The results of the scanners can be
used as input for the vulnerability and patch management process11
. Vulnerability
scanners can be network based or host based.
Password auditing tools intend to verify if passwords in use meet the requirements in the
policy. Often those requirements are not enforced or periodically checked. Specifically for
user passwords, it is difficult to find a good balance between user functionality and
security. Currently, acceptable password lengths are 10 alphanumeric characters for user
passwords and 14 characters for administrators. Even better is to use two-factor
authentication for administrators.
Integrity checks are in place to discover changes in files. The checksum values of these
files are periodically compared with earlier values.
Security monitoring
Security monitoring aims to detect deviations through analysing (real-time) events and
should include physical security events into the security-monitoring environment (burglar
alarms, images of CCTV, personnel movement, transportation, unauthorized access,
infrared detection, etcetera). Most organisations do not include those physical events due
to the traditional separation between logical and physical security.
Security monitoring could require using IDS or IPS systems. The power of these systems
is that all events are logged. However, their disadvantage is that they generate too much
data that cannot be analysed without filters or reporting tools. A frequently used tool is
Security Information & Event Management (SIEM). Beware though: SIEM could be a
target for hackers too.
11
A patch is a small program that adjusts existing software to patch errors or bugs in the software. Patches can
be preventive (preventing problems), adaptive (environmental changes), corrective (solving incidents/problems) and perfective (change in specifications).
Hacking Revealed versie 2.0 UK
27
Specific measures: top 10 defences
Besides the general counter measures mentioned above, there are also specific measures
that can be implemented to prevent being hacked. A top 10:
1. Incident response
Truly effective incident response procedures should be multidisciplinary and not just
focus on IT. Instead, document and communicate the roles, responsibilities and
communication channels for Legal, HR, Media Relations, IT and the Security Department.
A specific member should be identified as the core of a Security Incident Response Team
(SIRT) to be called together to address an incident when one occurs. A SIRT should also
conduct periodic exercises of the incident response capability to ensure that team
members are effective in their roles.
2. Network design measures
To defend against network mapping and port scans, the administrators should remove all
unnecessary systems and close all unused ports. The administrator must disable and
remove unneeded services. Only those services that have a defined business need should
be active. A security administrator should periodically scan the systems.
3. Network scanning measures
Administrators must close unused network ports. To eliminate the majority of system
vulnerabilities, system patches should be applied in a timely fashion. All organizations
using computers should have a defined change control procedure that specifies when and
how system patches will be kept up-to-date.
This procedure should include conducting periodic vulnerability scans of networks to find
vulnerabilities before attackers do. Discovered vulnerabilities should be addressed in a
timely fashion by updating system configuration or applying the patches.
If you use traditional telephone networks it is advised to implement measures against
war dialling. The best defence is using strong modem policies that prohibit the use of
modems and incoming lines without business needs. Besides this, conduct war-dialling
exercises on your networks to find unregistered modems. This device must then be
located and deactivated before attackers find it.
Ways to avoid a successful foot printing/exploration: use general business domain registration, like
general business telephone number +31 88 12. This will prevent that business phone numbers are
publicly known and mapped into a (NL) region. Make use of a fictitious email address and monitor email
messages delivered to this email address. Check yourself or your company on public websites like Pipl,
12
The Dutch regulatory authority OPTA has opened a 088- number range for companies and administrations.
These organisations can request the assignment of numbers from this range (officially named “number for access to undertakings and administrations")
Hacking Revealed versie 2.0 UK
28
Google, Facebook, Hyves, etc. If you find information, try to find out if this is necessary or could be
used for target mapping. Finally yet importantly, do not list all of your ICT infrastructure components in
online vacancies.
Make sure the "outer" network components configured do not give information (answers) on IP or port
scans. Analyse and document used and unused services/protocols on your firewalls. Regularly audit the
current settings of the network components and compare the results with previous results. Install
Intrusion Prevention Systems (IPS) / Intrusion Detection Systems (IDS) and analyse the loggings.
Locate your critical, Internet facing business applications and determine how these applications react
on scans. Regularly audit the "outer" network components and perform scans, or try to set up a net cat
connection to their ports. Remember that your IT staff will not notice some scans or tools, just because
they are 'hidden' in normal internet traffic or a because a hacker scans during the night.
4. Network communication measures
The best defence against sniffing attacks is to encrypt data in transit. Do not send
passwords in clear text and eliminate the broadcast nature of Ethernet. Use switches
instead of hubs.
Also implement measures against IP spoofing. Systems should not use IP addresses for
authentication. Any functions that rely solely on IP addresses for authentication should
be disabled or replaced. Do not let administrator use unsecure UNIX r-commands. R-
commands use only the IP addresses for authentication, without providing a password.
Use administrator tools requiring strong authentication instead. Implement anti-spoof
filters on your Internet connection networks (DMZ). Anti-spoof filters drop all traffic
coming from outside the organization claiming to come from inside.
5. Network connection takeover measures
Avoid the use of insecure protocols and applications for sensitive sessions such as r-login
and Telnet. Instead, use secure shell (SSH). SSH provides strong authentication and
encryption and can be configured to use secure file transfer capability (SCP) to replace
the traditional File Transfer Protocol (FTP).
6. Denial-of-Service measures
The best way to defend against Denial-of-Service attacks is to implement a solid
vulnerability and patch management process. Vendors frequently update their systems
with patches to handle a new flavour of Denial-of-service attack.
An adequate patch management process prevents many problems with software vulnerabilities. The
time between the discovery of vulnerability and the availability of an exploit to abuse the vulnerability
gets shorter and shorter. So patch, patch and patch.
7. Stack-Based Buffer overflow defences
The most thorough defences against buffer overflow attacks are to properly code
software so that it cannot be used to smash the stack. All programs should validate all
Hacking Revealed versie 2.0 UK
29
input from users and other programs, ensuring that it fits into allocated memory
structures. Each variable should be checked to ensure that allocated buffers are capable
of holding this data. Additionally, security practitioners and system administrators should
carefully control and minimize the number of SUID programs on a system that users can
run. Only SUID programs with an explicit business need should be installed on sensitive
systems. Many stack buffer overflow attacks can be avoided by configuring the systems
in such a way that they do not execute code from the stack.
Web Applications: deploy (internet facing) web applications only into production after you have
tested them. Make sure your web applications are developed using a formal software developed tool.
The developer should assure that the web application is tested on at least the Open Web Application
Security Project (OWASP) top 10 web application security risks13.
In 2010, the largest web application risks where:
1. SQL injection
2. Cross-site scripting (XSS)
3. Broken authentication and session management
4. Insecure direct object references
5. Cross-site request forgery (CSRF)
6. Security misconfiguration
7. Insecure cryptographic storage
8. Failure to restrict URL access
9. Insufficient transport layer protection
10. Invalidated redirects and forwards.
Set adequate account policies: enable passwords or even better, enforce strong passwords and use
strong authentication methods like tokens, smart cards, or biometrics for remote access services.
Encrypt sensitive information. Use account lock out procedures and limit login attempts for all IT
environments, not only for production. Log failed account and access attempts into a log system and
review these logs on regular basis. Adjust your policy settings if needed.
Data validation and editing procedures
Data validation ensures that an application is robustly secured against all forms of input data, whether
obtained from the user, infrastructure, external entities or database systems.
Sequence checks: the control number follows sequentially and out-of-sequence or duplicated control
number are rejected or noted in an exception report for follow-up purposes. For example, invoices are
numbered sequentially. The day’s invoices begin with 12001 and end with 15045. If any invoice larger
than 15045 is encountered during processing, that invoice will be rejected as an invalid invoice number.
Limit check: data should not exceed a predetermined amount. For example, payroll checks should not
exceed €4.000. If a check exceeds €4.000, the data will be rejected for further
verification/authorization.
Range check: data should be within a predetermined range of values. For example, product type code
ranges from 100 to 250.
Validity check: programmed checking of the data validity according to predetermined criteria. For
example, a payroll record contains a field for marital status and the acceptable status codes are M or S.
Reasonableness checks: input data are matched to predetermined reasonable limits or occurrence
rates. For example, a widget manufacturer usually receives orders for no more than 20 widgets. If
there is an order for more than 20 widgets, the computer program should be designed to print the
record with a warning indicating that the order appears unreasonable.
13 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Hacking Revealed versie 2.0 UK
30
Table lookups: input data comply with predetermined criteria maintained in a computerized table of
possible values.
Existence checks: data are entered correctly and agree with valid predetermined criteria. For example,
a valid transaction code must be entered in the transaction code field.
Key verification: a separate individual using a machine that compares the original keystrokes to the
repeated keyed input repeats the keying process.
Check digit: a numeric value that has been calculated mathematically is added to the data to ensure
that the original data have not been altered or are incorrect, but valid, value substituted. This control is
effective in detecting transposition and transcription errors. For example, a check digit is added to an
account number so it can be checked for accuracy when it is used.
Completeness checks: a field should always contain data rather than zeros or blanks.
Duplicate check: new transactions are matched with previous input to ensure they have not already
been entered.
Logical relationship check: if a particular condition is true, then one or more additional conditions or
data input relationships may be required to be true and consider the input valid. For example, the hire
date of an employee may be required to be more than 16 years past his/her date of birth.
Data file control procedures
Before and after imaging: computer data in a file prior to and after a transaction is processed can be
recorded and reported.
Maintenance error reporting and handling: control procedures should be in place to ensure that all
errors reports are properly reconciled and corrections are submitted on a timely basis.
Source documentation retention: source documentation should be retained for an adequate time period
to enable retrieval, reconstruction of verification of data.
Internal and external labelling: internal and external labelling of removable storage media is imperative
to ensure that the proper data are loaded for processing.
Version update: for correct processing, it is critical that the proper version of a file is used and that it
the correct file.
Date file security: data file security controls prevent unauthorized access by unauthorized users whom
may have access to the application to alter data files.
One-by-one checking: individual documents agree with a detailed listing of documents processed by the
computer.
Pre-recorded input: certain information fields are pre-printed on blank input forms to reduce initial
input errors.
File updating and maintenance authorization: proper authorization for file updating and maintenance is
necessary to ensure that stored data are safeguarded adequately, correct and up to date.
Parity checking: (aka. vertical redundancy check) also involves adding a bit (aka the parity bit) to each
character during transmission. In this case, where there is a presence of bursts of errors (i.e.,
impulsion noise during high transmission rates), it has a reliability of approximately 50%. In higher
transmission rates, this limitation is significant.
Cyclic redundancy check (CRC) can check for a block of transmitted data. The workstations generate
the CRC and transmit this with the data. The receiving workstation computes a CRC and compares it to
the transmitted CRC. If both are equal, the block is assumed error free. In this case (such as in parity
error or echo check), multiple errors can be detected. In general, CRC can detect all single-bit and
bubble-bit errors.
Echo check: detect line errors by retransmitting data back to the sending device for comparison with
the original transmission.
Data integrity in online transaction processing systems (ACID)
Atomicity: from a user perspective, a transaction is either completed in its entirety (i.e. all relevant
database tables are updated) or not at all. If an error or interruption occurs, all changes made up to
that point are backed out.
Consistency: all integrity conditions in the database are maintained with each transaction, taking the
database from one consistent state into another consistent state.
Isolation: each transaction is isolated from other transactions and hence each transaction only accesses
data that are part of a consistent database state.
Hacking Revealed versie 2.0 UK
31
Durability: if a transaction has been reported back to a user as complete, the resulting changes to the
database survive subsequent hardware or software failures.
8. Password cracking defences
The first defence against password cracking is minimizing the exposure of
encrypted/hashed password files. A strong password policy is crucial to ensuring a secure
network. A password policy should require password lengths of at least 10 characters.
Users must be aware of the issue of weak passwords and be trained in creating
memorable, yet difficult to guess passwords.
Try and prevent your system administrators to work with their admin or root accounts on a regular and
daily basis. Get your system administrators to use a normal user account for their non-administrator
work. Rename the default admin or root account (if possible) and block default guest accounts. Choose
appropriate password policies and set a minimum password length, a password history and forbidden
password prefixes (123, 234, abc, bcd, etc.). Determine account lockout settings and deploy this, not
only to production, but also to the development, testing and the acceptance environments. Determine
the amount of logging information you need and review this on regular bases. Adjust your policy
settings if needed.
In contrast to normal users, you could adjust the administrator account policies, to enable strong
authentication by default for administrators. Log failed account and access attempts into a log system
and review these logs on daily basis. Adjust your policy settings if needed.
9. Backdoor Defences
The best defence against backdoor programs is that system and security administrators
know what is running on their machines, particularly sensitive systems storing critical
information or processing high-value transactions. If a process is suddenly running as the
super user listening on a port, the administrator needs to investigate.
A central SYSLOG server is used to transfer data from the local (system) log, on scheduled basis. Use
the APPEND-only-command. Take integrity measures. Perform log analysis on a regular basis; including
automated signalling to an administrator/manager.
10. Trojan horses and Root kit defences
To protect against Trojan horses, user awareness is key. Users must understand the risks
associated with downloading and running untrusted programs. The same goes for
running executable attachments in email from untrusted sources and visiting rogue web
sites. Computers should have an effective and up-to-date anti-virus program installed. To
defend against root kits, system and security administrators must use integrity checking
programs for critical system files. Unfortunately, kernel-level root kits cannot be detected
with integrity check programs, because the integrity checker relies on the underlying
kernel to do his work. If the kernel lies to the integrity checkers, the results will not show
in the root kit installation.
Hacking Revealed versie 2.0 UK
32
Scan regularly for Trojan horses, root kits and backdoors with internal scanners, but also with external
(commercial) scanners. If possible, use multiple species or types of scanners. For example, create
distinction between species and types of scanners for the "outer" (inter) network layer, the DMZ, the
(application) servers and work stations. Use integrity checking software. The best defence against
kernel-level root kits is a monolithic kernel that does not support loadable kernel modules. On critical
systems (Firewalls, internet web servers, DNS-servers, mail servers etc.) administrators should build
the systems with complete kernels without support for loadable kernel modules. With this
configuration, the system will prevent an attacker from gaining root-level access and patching the
kernel in real-time.
Hacking Revealed versie 2.0 UK
33
Epilogue So we’ve learnt that hacking is not dominating the news the past months. Hacking is of
all times and will probably never go away. Hacking will be even more dominant because
the crackers (yes, not the hackers) can easily earn big amounts of money with their
botnets, spam, ransom ware, drive-by-download infections and attacks on Internet facing
web applications. Secondly, the number of web users still increases every day, thus also
the number of potential victims and attack vectors increases every day.
In this white paper hackers and hacking are revealed. Who they are, what they do, what
types there are and how they do what they do. A hack comes in phases. By knowing all
this, prevention begins.
Identifying and analysing the attacks are the start of prevention. The information in this
white paper helps you to defend yourself or your company from hacking by using
preventive, detective, corrective and compensating counter measures.
Hacking Revealed versie 2.0 UK
34
Bibliography
Acknowledgement
of sources:
1. ir. Kees Hogewoning, ing. Gerrit Th. Lith, ing. Marco G.M. van der Kraan, Erwin A.J.
Verburg and others, 2007, "Internet Security, securing internet connected networks",
published by NGN (www.ngn.nl) and Vanveen informatica (http://www.vanveen.nl).
ISBN 978-90-71501-16-6.
2. Information Security Management Handbook, Fifth Edition, by Harold F. Tipton and
Micki Kraus, 2004, published by Auerbach publications , ISBN 0-8493-1997-8;
3. Govert 2011 presentation "Auditing the Hacker's mind: the Hacker's Profile Project
2.0", Raoul Chiesa, Senior Advisor on Cybercrime at Emerging Crime Unit (ECU),
United Nations Interregional Crime and Justice Research Institute (UNICRI).
4. Profiling Hackers: the Science of Criminal Profiling as applied to the World of Hacking,
ISBN 978-1-4200-8693-5-9000.
5. Hacking Exposed, Network Security Secrets & Solutions, 2004, by Stuart McClure, Joel
Scambray and George Kurtz, published by Osborne/McCraw-Hill, ISBN 0-07-212127-0
6. CHIP magazine, 2012, number 91, article 'Historical hackers', by Manuel Köppl and
Peter Marinus.
7. The Ten Biggest Legends of the Hacker Universe, http://voices.yahoo.com/the-ten-
biggest-legends-hacker-universe-369297.html , by Carlos Cabezas López.
8. The Hacker News, May 2011 - Issue 02 - Social Engineering Edition.
Credentials
(Websites):
1. National Cyber Security Centrum, https://www.ncsc.nl/
2. Security.NL, http://www.security.nl
3. Iusmentis, http://www.iusmentis.com/
4. General Intelligence and Security Service of the Netherlands,
https://www.aivd.nl/english/publications-press/press-releases/@2664/aivd-annual-
report/
5. Patch management by NCSC,
http://www.govcert.nl/dienstverlening/Kennis+en+publicaties/whitepapers/patch-
management.html
6. UNICRI Cybercrime Home Page, http://www.unicri.it/emerging_crimes/cybercrime/
7. The Ten Biggest Legends of the Hacker Universe, http://voices.yahoo.com/the-ten-
biggest-legends-hacker-universe-369297.html
8. Anonymous, http://www.indybay.org/newsitems/2010/12/09/18666107.php,
http://nl.wikipedia.org/wiki/Anonymous_(groep)
9. Lulzsec, http://en.wikipedia.org/wiki/LulzSec
10. OWASP Top 10, https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
11. Data Exfiltration, http://www.iamit.org/blog/2012/01/advanced-data-exfiltration/