Transcript Hacking

COEN 252
Security Threats
Hacking

Untargeted attacks

Motivation is

Fun (I can do it)
 prevalent until ~2000

Financial Gain
 Selling access to compute resources
 Creation of botnets for spamming, computation
(distributed decryption, phishing, pharming …)
 Selling data
 Credit Card Information
 E-mails
 …
 Targeted Denial of Service Attacks
 Cloud Nine, a British ISP failed after suffering attacks

Cyber-warfare, terrorism
Hacking

Targeted Attacks


Theft of information
Incapacitation of an organization to fulfill its
purpose by destroying / impeding its use of
computing resources
Hacking
Phases of a Targeted Attack
Reconnaissance
 Scanning
 Gaining Access
 Expanding Access
 Covering Tracks

Reconnaissance

Social Engineering

Incite a human to act imprudently, furthering the goals
of the attacker:


“I cannot access my email. What do I do?”
Countermeasures:
 Identify security issues
 Develop policies
 Need to prevent leakage of information
 Need buy-in by users and agents
 Need to maintain user-friendliness of IT

Physical Reconnaissance

Dumpster Diving


Especially bountiful when people move
Installation of scanning devices
Reconnaissance

Finding publicly available information

Contact information of internet registration


WhoIs, ARIN, RIPE, …
Internal documents made publicly available:




Use search engines
Check Internet Archive, …
Identify naming conventions and guess file names
Scrutinize publications
 A word document might contain the revision history with old
versions of file
 A PDF file had confidential information obscured by a black
box, that could be removed
 …

Email, Usenet, Blog postings that identify names of
internal machines, …
Reconnaissance: Scanning
Once we have a target, we need to get to
know it better.
Methods:
 War Dialing (to find out modem access)
 War Driving
 Network Mapping


Largely obsolete due to better firewall rules
Vulnerability Scanning
Scanning: War Dialing
Purpose: Find a modem connection.
 Many users in a company install remote PC
software such as PCAnywhere without setting the
software up correctly.
 War Dialer finds these numbers by going through
a range of phone numbers listening for a modem.
 Demon Dialer tries a brute force password attack
on a found connection.
 Typically: war dialing will find an unsecured
connection.
Scanning: Network Mapping
Ping:
 ping is implemented using the Internet
Control Message Protocol (ICMP) Echo
Request.
 A receiving station answers back to the
sender.
 Used by system administrators to check
status of machines and connections.
Scanning: Network Mapping
Traceroute:
 Pings a system with ICMP echo requests
with varying life spans (= # of hops
allowed).
 A system that receives a package with
expired numbers of hops sends an error
message back to sender.
 Traceroute uses this to find the route to a
given system.
 Useful for System Administration
Scanning: Network Mapping
Cheops:
Network Scanner
(UNIX based)
(Uses traceroute and
other tools to map
a network.)
Cheops et Co. are the
reason that firewalls
intercept pings.
Reconnaissance: Port Scans
Applications on a system use ports to
listen for network traffic or send it out.
 216 ports available, some for known
services such as http (80), ftp, ...
 Port scans send various type of IP
packages to target on different ports.
 Reaction tells them whether the port is
open (an application listens).

Reconnaissance: Nmap
Uses different types of packets to check
for open ports.
 Can tell from the reaction what OS is
running, including patch levels.
 Can run in stealth mode, in which it is not
detected by many firewalls.

Gaining Access

Fault in Policy


Fault in Implementation


Weak or no authentication, unwarranted trust
relationships, …
Typical triggered by intentionally malformed
input
Extension of a security breach

Sniffing malware, …
Security Policy, Software defects, flaws,
vulnerabilities


A Security Policy is a set of rules and practices that
specify or regulate how a system or organization provides
security services to protect sensitive and critical system
resources [Internet Society 00].
Software Defects:


Security Flaw:



A software defect is the encoding of a human error into the
software, including omissions.
A security flaw is a software defect that poses a potential
security risk.
Eliminating software defects eliminate security flaws.
Vulnerability



set of conditions that allows an attacker to violate an explicit
or implicit security policy.
Not all security flaws lead to vulnerabilities.
Not all vulnerabilities are based on a security flaw.
Software Vulnerabilities

Attacker needs
to control the environment of the application
 or craft input
in order to trigger a vulnerability.

Software Vulnerabilities
In a typical environment, attacker needs
to be able to set a single value at a single
address in order to execute arbitrary code.
 Typical Targets


Global Offset Table in Unix


.dtors



Used to link to library functions
Used by gcc to link to destructors that run at
termination of program
Virtual Function Tables
Exception Handling Table in Windows
Software Vulnerabilities

Typical Vulnerabilities

Buffer Overruns:




Format String Vulnerability:




Input string is stored on a buffer, but buffer is too small
Input located outside of buffer has overwritten data
Stack based buffer overflow: Overwrite the return address
of a function
(Specific to C)
Arises by not specifying a format string
The %n construct allows attacker to control a random
memory location
Integer Overflow
Race Conditions

Especially when accessing files
Software Vulnerabilities

Typical Vulnerabilities

Injection Attacks



Input (e.g. user input to web server) is used to
generate arguments for a command to be executed:
Command Injection
Input (e.g. user input to web server) is used to
generate arguments for a sql query to be executed
and displayed: SQL Injection
Name Resolution Attacks

Different modules use different ways to canonicalize
/ resolve names of resources such as files
 HFS2 file names are not case sensitive, but Apache
configuration is
 Homonyms (e.g. kyrillic vs. regular o)
Software Vulnerabilities

Use of magic names

Instance of security by obfuscation


Magic URL
Hidden Form Fields
Software Vulnerabilities

False amount of security information
results in poor usability



Too many warnings: Users are confused and
trained to ignore warnings
Too few warnings: Users are not made aware
of risks
Bad networking protocols


Unauthenticated key exchange
Trusting network name resolution
Gaining Access through Network
Attacks: Sniffing
Sniffer: Gathers traffic from a LAN.
 Examples: Snort www.snort.org, Sniffit
reptile.rug.ac.be/~coder/sniffit/sniffit.html
 To gain access to packages, use spoofed
ARP (Address Resolution Protocol) to
reroute traffic.

Gaining Access through Network
Attacks: Sniffing

Sniffing through a hub:

MAC flooding:






Switches store MAC addresses in a cache.
Switches accept MAC advertising.
Attacker sends a flood of MAC advertisings.
Switch’s cache fills up.
Switch moves into promiscuous mode.
Spoofed ARP messages
Gaining Access through Network
Attacks: Sniffing

Sniffing through a hub:

Spoofed ARP messages:






ARP resolves between IP addresses and MAC addresses.
Step 1: Attacker sets up IP Forwarding to the default router
on LAN.
Step 2: Send a faked ARP reply to victims machine to
reroute default router IP to attackers MAC address.
Step 3: Victim sends out a message to the outside world.
This is routed to the default router IP, i.e. to the attackers
machine.
Step 4: Attacker reads traffic.
Step 5: Because of forwarding, packet is forwarded to
actual default router.
Gaining Access through Network
Attacks: Sniffing

Man in the Middle Attack with DSniff:






Step 1: Send fake DNS response with IP
address for the web site to be attacked to the
victim.
Step 2: Victim connects to website.
Step 3: DNS resolves to the attacker’s
machine, request send there.
Step 4: Attacker’s site receives request, acts
as proxy, forwards it to real website.
Step 5: Real website answers, attackers site
forwards to victim.
…
Gaining Access: Session Hijacking
IP Address Spoofing: Send out IP
packages with false IP addresses.
 If an attacker sits on a link through which
traffic between two sites flows, the
attacker can inject spoofed packages to
“hijack the session”.
 Attacker inserts commands into the
connection.
 Details omitted.

Exploiting and Maintaining Address
After successful intrusion, an attacker
should:
 Attack privileged programs to gain root or
administrator privileges.
 Erase traces (e.g. change log entries).
 Take measures to maintain access.
 Erase security holes so that no-one else
can gain illicit access and do something
stupid to wake up the sys. ad.
Maintaining Access: Trojans

A program with an additional, evil
payload.


Running MS Word also reinstalls a backdoor.
ps does not display the installed sniffer.
Maintaining Access: Backdoors
Bypass normal security measures.
Example: netcat
 Install
netcat on victim with the
GAPING_SECURITY_HOLE option.
C:\ nc -1 –p 12345 –e cmd.sh
 In the future: connect to port 12345 and
start typing commands.

Maintaining Access: Backdoors
BO2K (Back Orifice 2000) runs in stealth
mode (you cannot discover it by looking at
the processes tab in the TASK MANAGER.
 Otherwise, it is a remote control program
like pcAnyWhere, that allows accessing a
computer over the net.

Maintaining Access: Backdoors

RootKit:
A backdoor built as a Trojan of system
executables such as ipconfig.

Kernel-Level RootKit:
Changes the OS, not only system executables.
Covering Tracks:
Altering logs.
 Create difficult to find files and directories.
 Covert Channels through Networks:





Loki uses ICMP messages as the carrier.
Use WWW traffic.
Use unused fields in TCP/IP headers.
Use antiforensics


Change registry values to delete traces of
installed programs
Change Date-Time stamps
Hacker Profile

Internal Hacker


Disgruntled employee
Contracted employee



Targets for corporate espionage.
Are not bound by employee policies and procedures.
Indirectly contracted employee

Perform shared or subcontracted services
Hacker Profile

External Hacker

Recreational Hacker





85% 90% male.
Between 12 and 25.
Highly intelligent low-achiever.
Typically from dysfunctional families.
Professional Hacker




Hackers for hire.
Electronic warfare, corporate espionage.
“Security Consultants”
Security Consultants
Hacker Profile

Virus writers1



Teenagers, College Students, Professionals
Drop out of the scene as adults or have social problems.
Intelligent, educated, male.
Study by Sarah Gordon, IBM, in Beiser, Vince, “Inside the Virus
Writer’s Mind”
Hacker Profile

Script Kiddy




Uses scripts of programs written by others to
exploit known vulnerabilities
Goal is bragging rights, defacing web sites
Sweep IP addresses for vulnerability
Typically not explicitly malicious, but can cause
damage inadvertently
Hacker Profile

Dedicated Hacker





Does research.
Knows in and outs of OS, system, auditing and
security tools.
Writes or modifies programs and shell scripts
Reads security bulletins (CERT, NIST)
Searches the underground.
Hacker Profile

Skilled Hacker




Thorough understanding of system at the level
of Sys Ad or above.
Can read OS source code.
Understands network protocols.
Superhacker


Does not brag or post.
Can enter or bring down any system.
http://www.securityfocus.com/news/203
Hacker Motives

Intellectually Motivated

Educational experimentation





“Harmless Fun”


28 year old computer expert diverted 2585 US West
computers to search for a new prime number.
Used 10.63 years of computer time.
Lengthened telephone number lookup to 5 minutes
Almost shut down the Phoenix Service Delivery Center
Web defacing
Wake-up Call

Free-lance security consultant (still illegal)
Hacker Motives

Personally motivated


Disgruntled employee.
Cyber-stalking


E.g. to show of superiority to someone they feel / are
inferior to.
Danger of escalation to physical attack.
 A 50-year old security guard used the internet to solicit
the rape of a 28-year old woman who rejected him.
 Impersonated her in chat rooms and online bulletins.
 Impersonated rape fantasies.
 At least six man knocked at her door at night offering
to rape her.
 Six years in prison.
Hacker Motives

Socially motivated


Cyber-activism
Politically motivated


Hacking KKK or NAACP websites
Cyber-Terrorism

Threatens serious disruption of the infrastructure






Power
Water
Transportation
Communication
1988: Israeli Virus and logic bomb in Israeli government
computers
Cyber-warfare
Hacker Motives

Financially Motivated

Personal profit.
 Two Cisco Systems consultants issued almost $8 M
Cisco stock to themselves.
 Accessed a system used to manage stock option
disbursals to find control numbers for forged
authorization forms.

Damage to the organization.
 British internet provider, Cloud Nine, went out of
business after crippling series of DOS attacks.

Ego Motivated
Hacker Damage
Releasing Information
 Releasing Software



By circumventing copying protection.
Through IP theft
Consuming Unused(?) Resources
 Discover and Document Vulnerabilities
 Compromise Systems and Increase their
Vulnerabilities
 Website Vandalism
