Transcript Overview
Types of Attacks, Hackers Motivations and Methods CS432: Security Overview Access attacks. Modification attacks. Denial-of-Service attacks. Repudiation attacks. Access Attacks An access attack is an attempt to see information that the attacker is not authorized to see. Snooping is looking through information files to find something interesting. Eavesdropping is when someone listens in on a conversation that they are not a part of. Access Attacks Interception is an active attack against the information. To access the information on paper, the attacker needs to gain access to that paper. Good site security may prevent an outsider from accessing information on paper, but may not prevent an insider from gaining access. Access Attacks Correct access permissions will prevent most casual snooping for electronic information. Eavesdropping on a transmission can access information in transit. A sniffer is a computer that is configured to capture all traffic on a network. Wireless networks make sniffing easier. Access Attacks Interception attacks are more difficult and more dangerous than simple eavesdropping attacks. The attacker must insert his system between the sender and the receiver to intercept information. Information can be intercepted on the Internet by causing a name resolution change. Modification Attacks A modification attack is an attempt to modify information that the attacker is not authorized to modify. The attacker may change or delete existing information, or insert new information in a modification attack. Modifying electronic information is easier than modifying information on paper. Denial-of-Service Attacks Denial-of-Service (DoS) attacks deny the use of resources, information, or capabilities of a system to legitimate users. Denial of access to information causes the information to be unavailable. The information may be destroyed, converted into an unusable form, or shifted to an inaccessible location. Denial-of-Service Attacks The attacker may target the application that manipulates or displays information. If an application is unavailable, the organization cannot perform the tasks done by that application. A common type of DoS attack is bringing down computer systems. Denial-of-Service Attacks A DoS attack against system communication may range from cutting wires to flooding networks with excessive traffic. The system and the information are left untouched, but the lack of communication prevents access to them. Information on paper as well as information in electronic form are subject to physical DoS attacks. Denial-of-Service Attacks Short-term DoS attacks can be made by simply turning off a system. Applications can be rendered unavailable by sending a pre-defined set of commands that it cannot process properly. Accidents could also cause DoS incidents. Repudiation Attacks In a repudiation attack, false information may be given or a real event or transaction may be denied. Electronic information is more susceptible to repudiation attacks than information in the physical form. Denying an event is easier in the electronic world as there is no proof to link an individual with the event. Hacker Techniques Overview Hacker’s motivation. Historical hacking techniques. Advanced techniques. Malicious code. Methods used by untargeted hacker. Methods used by targeted hacker. Hacker’s Motivation The term “hacker” was originally coined for an individual who could make computers work. A hacker currently refers to an individual who breaks into computers. Studies show that hackers are most often male, between 16 and 35 years old, loners, intelligent, and technically proficient. Hacker’s Motivation The most common motivation for hacking into computer systems is the challenge of doing so. The challenge motivation is usually associated with an untargeted hacker. An untargeted hacker is one who hacks just for the fun of it. The greed motivation includes desire for gain in the form of money, goods, services, or information. Hacker’s Motivation Sites having something of value (software, money, information) are primary targets for hackers motivated by greed. Malicious attacks focus on particular targets. The hacker motivated by malicious intent aims at damaging, and not gaining access to the system. The risk of a hacker being caught and convicted is low. Hence, the potential gain from hacking is high. Historical Hacking Techniques Open sharing: When the Internet was originally created, most systems were configured to share information. The Network File System (NFS) used by UNIX allowed one computer to mount the drives of another computer across a network. Hackers used NFS to read the information by mounting remote drives. Historical Hacking Techniques Open sharing (continued): Many operating systems were shipped out with the root file system exportable to the world. Anyone could mount the system’s root file and change anything they wanted if the default configuration was not changed. Hackers can get into a system with remote access, by identifying one user or administrator account on the system. Historical Hacking Techniques Weak passwords: Weak passwords are the most common method used by hackers to get into systems. A two-character password is easier to guess than an eight-character one. Easy to guess passwords allow hackers a quick entry into the system. Historical Hacking Techniques Programming flaws and social engineering: Hackers have used programming flaws such as back doors in a program for accessing systems that use the program. Many shopping Websites store information entered by the buyer on a URL, which can be modified before checking out. Social engineering is the use of non-technical means to gain unauthorized access to information or systems. The ability to lie and a kind voice are the most powerful tools used by a hacker using the Historical Hacking Techniques Buffer overflow: Buffer overflow is an attempt to store too much information into an allocated space in a computer’s memory. Buffer overflows allow hackers to run a command on the target system. A hacker can exploit a buffer overflow to overwrite the return address to point to a new instruction. Historical Hacking Techniques Denial-of-Service (DoS): DoS attacks are malicious acts to deny legitimate users access to a system, network, application, or information. Most DoS attacks originate from fake addresses. In a single-source DoS attack, a single system is used to attack another system. The SYN flood and the Ping of Death are some of the single-source DoS attacks that have been identified. Historical Hacking Techniques Distributed Denial-of-Service (DDoS): DDoS attacks originate from a large number of systems. Trinoo, Tribal Flood Network, Mstream, and Stacheldraht are some of the new DDoS attack tools. Historical Hacking Techniques Distributed Denial-of-Service (DDoS) (continued): A hacker talks to a master or server that has been placed on a compromised system. The master talks to the slave or client processes that have been placed on other compromised systems. The slaves, also called zombies, perform the actual attack against the target system. Historical Hacking Techniques The architecture of DDoS attacks. Advanced Techniques Sniffing switch networks. IP spoofing. Sniffing Switch Networks Hackers use sniffers to gather passwords and other system-related information after a system is compromised. On shared media networks, sniffers use network interface cards (NIC) to access information. In a switched environment, the hacker must cause the switch to redirect all traffic to the sniffer, or send all traffic to all ports. Sniffing Switch Networks Redirecting traffic: A switch directs traffic to ports based on the Media Access Control (MAC) address of the Ethernet frame. Address Resolution Protocol (ARP) is used to get the MAC address associated with a particular IP address. When a system wants to send traffic to another system, it will send an ARP request for the destination IP address. Sniffing Switch Networks Redirecting traffic (continued): A sniffer may respond to an ARP request with its own MAC address, causing traffic to be sent to itself. This is called ARP spoofing. The sniffer must send on the traffic to the correct destination, or it will cause a denial of service on the network. ARP spoofing is possible only on local subnets as the ARP messages do not go outside the local subnet. Sniffing Switch Networks Redirecting traffic (continued): Duplicating the MAC address of the target system is another way of getting the switch to redirect the traffic to the sniffer. In a DNS Spoofing attack, a sniffer responds to the sending system’s DNS requests. The sniffers response provides its own IP address as that of the system being requested. DNA Spoofing is possible if the sniffer is in the network path from the sending system to the DNS server. Sniffing Switch Networks Sending all traffic to all ports: When the memory used by switches to store the mappings between MAC addresses and physical ports is full, some switches will fall “open.” That means that the switch will send all traffic to all ports instead of sending traffic for specific MACs to specific ports. Sniffing requires that the hacker have a system on the local switch. IP Spoofing Details of IP spoofing IP Spoofing Using IP spoofing in the real world Malicious Code Malicious codes include three types of programs: Computer viruses. Trojan horse programs. Worms. Computer Viruses Computer viruses are not structured to exist by themselves. Virus codes execute when the programs to which they are attached are executed. Malicious viruses may delete files or cause systems to become unstable. Some viruses just spread themselves to other systems without performing any malicious acts. Trojan Horse Programs A Trojan horse is a complete and selfcontained program. It hides its malicious intent behind a facade of something useful or interesting. Most Trojan horse programs contain a mechanism to spread themselves to new victims. Worms A worm is a program that crawls from system to system without any assistance from its victims. The Morris Worm was the first known example of a worm. CodeRed and Slapper Worm are recent examples of worms. Hybrid is the combination of two types of malicious codes into a single program. Methods Used by Untargeted Hacker Internet reconnaissance: Untargeted hackers look for any vulnerable system they can find. The hacker may perform a stealth scan, sometimes in conjunction with a ping sweep. A stealth scan is an attempt to identify systems within an address range. A ping sweep is an attempt to ping each address and see if a response is received. Methods Used by Untargeted Hacker Stealth scanning Methods Used by Untargeted Hacker Reset scans Methods Used by Untargeted Hacker Telephone and wireless reconnaissance: Wardialing is a method of telephone reconnaissance to identify systems that have modems and that answer calls. Wardriving and Warchalking are methods of wireless reconnaissance. An untargeted hacker will use reconnaissance methods to identify systems. They will look for systems that may be vulnerable to the available exploits. Methods Used by Untargeted Hacker Use of Compromised Systems: Hackers normally place a back door entry to compromised systems to access them again. The back door entries are put together in a rootkit. Hackers may close vulnerabilities they used to gain access, so that no other hacker can gain access to “their” system. A compromised system may be used to attack other systems or for reconnaissance purposes. Methods Used by Targeted Hacker A targeted hacker aims at penetrating or damaging a particular organization. A targeted hacker is motivated by a desire to gain something the organization has. The skill level of targeted hackers tends to be higher than that of untargeted hackers. Methods Used by Targeted Hacker Reconnaissance: Address reconnaissance is the identification of the address space used by the target organization. Addresses can be identified through DNS, the American Registry of Internet Numbers (ARIN) or through text searches at Network Solutions. Phone number reconnaissance is inaccurate and more difficult than identifying network addresses. Methods Used by Targeted Hacker Reconnaissance (continued): The hacker can perform wireless reconnaissance by walking or driving around the organization’s building. System reconnaissance is used to identify the existing systems, operating systems, and their vulnerabilities. Ping sweeps, stealth scans, or port scans may be used to identify systems. Stealth scans, mail systems, or Web servers may be used to identify the operating system. Methods Used by Targeted Hacker Reconnaissance (continued): Attacking or examining the system for indications of vulnerabilities can identify vulnerabilities. Vulnerabilities scanners will provide information, but may alert the target organization about the hacker’s presence. The hacker may gain access to the organization through its remote offices. Business reconnaissance will help the hacker identify the type of damage that will hurt the target the most. Methods Used by Targeted Hacker Reconnaissance (continued): Studying the employees of the organization may prove valuable for the purpose of social engineering. Targeted hackers use physical reconnaissance extensively. Weaknesses in physical security may be used to gain access to the site. The hacker may also find information by searching a dumpster if trash and paper to be recycled is dumped into it. Methods Used by Targeted Hacker Electronic attack methods: The hacker may attempt to hide the attack from the intrusion detection system by breaking the attack into packets. The hacker must make the system appear as normal as possible if the attack is successful. The hacker will establish back door entries to allow repeated access to a compromised system. Methods Used by Targeted Hacker Electronic attack methods (continued): Systems with remote access control or administration systems are prime targets for attacks via dial-in access. The hacker may send a virus or a Trojan horse program to an employee’s home system. Wireless networks provide the easiest access path. In many cases, the wireless network is part of the organization’s internal network. Hence, it may have fewer security devices. Methods Used by Targeted Hacker Physical attack methods: Social engineering is the safest physical attack method. It may lead to electronic information. Checking the dumpster or following an employee into the building are other methods of physical attack. Summary Access attacks occur when an attacker gains information that he or she is not authorized to access. Snooping, Eavesdropping, and Interception are the three types of Access attacks. Modification attacks are attacks against the integrity of information. Summary Denial-of-Service attacks deny legitimate users access to the system, information, or capabilities. The attacker may target the information, applications, the system, or the communications media itself in a DoS attack. Repudiation is an attack against the accountability of the information. Summary A hacker may be motivated by the challenge of breaking in, greed, or malicious intent. Open file sharing, weak passwords, programming flaws, and buffer overflows were exploited by hackers to break into systems. In social engineering, the hacker uses human nature and the ability to lie, to access information. Summary In Denial-of-Service attacks, legitimate users are denied access to the system, network, information, or applications. In Distributed Denial-of-Service attacks, many systems are coordinated to attack a single target. Sniffing switch networks involves getting the switch to either redirect traffic to the sniffer or send all traffic to all ports. Summary ARP spoofing, MAC duplicating, and DNS spoofing are the three methods of redirecting traffic. IP spoofing involves modifying the source address to make the packet appear to appear as if coming from elsewhere. Viruses, Trojan horse programs, and worms are the three types of malicious codes. Summary Untargeted hackers do not aim at accessing particular information or organizations, but look for any system that can be compromised. Targeted hackers have a reason for attacking a organization.