HACKERS - The Modern Roadwarrior-

11

HACKERSHACKERS- The Modern Roadwarrior-- The Modern Roadwarrior-

22

THE CHANGING WORLD

General Powell describes an historic meeting with General Powell describes an historic meeting with Gorbachev, who was becoming frustrated in trying Gorbachev, who was becoming frustrated in trying to explain how the old model of the world was to explain how the old model of the world was unworkable. He finally leaned across the table to unworkable. He finally leaned across the table to Secretary Schultz and said." You need to Secretary Schultz and said." You need to understand, Secretary Schultz; today I am ending understand, Secretary Schultz; today I am ending the cold war." He then turned to Powell and said," the cold war." He then turned to Powell and said," General, you will have to find another enemy."General, you will have to find another enemy."

33

THE CHANGING WORLD The The bipolar worldbipolar world of the last half century has become of the last half century has become

a a multipolarmultipolar economy economy dominated by the United States, dominated by the United States, Europe and the Pacific Rim.Europe and the Pacific Rim.- - Economic competitionEconomic competition has replaced military has replaced military

competition.competition.- - Information and economic valueInformation and economic value have become have become

synonymous.synonymous.- - Personal and economic interestsPersonal and economic interests have merged have merged

with national interests.with national interests. The new economy is based uponThe new economy is based upon information information

technology technology that is fast leading to an age of networked that is fast leading to an age of networked intelligence (tintelligence (the network is the computerhe network is the computer) that is ) that is leading to a leading to a new societynew society with with new politicsnew politics. .

The world is on the doorstep of aThe world is on the doorstep of a digital economydigital economy fueled by information and knowledge. fueled by information and knowledge. (Information is (Information is Power)Power)

44

Hackers- An Academic View -

55

Hacker HistoryHacker History The original generation of Hackers has been said to be such The original generation of Hackers has been said to be such

personalities as personalities as John Von Neuman, Alan Turing and Grace John Von Neuman, Alan Turing and Grace Hopper.Hopper.

The first use of the term The first use of the term "Hacker""Hacker" is attributed to member of the is attributed to member of the "Tech Model Railroad Club" from MIT in the late 1950s. "Tech Model Railroad Club" from MIT in the late 1950s. This was originally a This was originally a term of praiseterm of praise for the very best for the very best

programmers and designersprogrammers and designers.. Media coverage in the 1980s redefined the term to be Media coverage in the 1980s redefined the term to be

synonymous with synonymous with "Computer Criminal"."Computer Criminal". The visibility and rise of Hackers is the result ofThe visibility and rise of Hackers is the result of four major four major

developments:developments:1. The proliferation of 1. The proliferation of computerscomputers2. The dramatic rise and geographical expansion of 2. The dramatic rise and geographical expansion of

networksnetworks..3. The dramatic rise in 3. The dramatic rise in computer literacycomputer literacy..4. The dependence of organizations upon4. The dependence of organizations upon information. information.

66

My personal belief…My personal belief… Computers are tools for the masses.Computers are tools for the masses. Computers should Computers should

not be private devices for the rich.not be private devices for the rich. Computers are tools for the masses.Computers are tools for the masses. Computers Computers

should not be private devices for the rich.should not be private devices for the rich. Information belongs to everyoneInformation belongs to everyone. Most hackers start at . Most hackers start at

the university which generates and distributes the university which generates and distributes knowledge.knowledge.

Coding is community propertyCoding is community property. The status of all . The status of all software should be shareware, freeware or public software should be shareware, freeware or public domain.domain.

Coding is an artCoding is an art. A good program has a certain . A good program has a certain elegance and beauty. In beauty there is creativity elegance and beauty. In beauty there is creativity which is demonstrated by a program that can which is demonstrated by a program that can penetrate others.penetrate others.

The computer lives.The computer lives. Most hackers have a social and Most hackers have a social and personal relationship with their computer.personal relationship with their computer.

77

The Hacker’s EthicsThe Hacker’s Ethics

Access to computers should be unlimited and total. Always yield to the Hands-On Imperative All information should be free. Mistrust authority--promote decentralization. Hackers should be judged by their hacking. You can create art and beauty on a computer. Computers can change your life for the better.

88

QualitiesQualities

Young.Young. Most are under 30 and concentrated around Most are under 30 and concentrated around colleges and universities.colleges and universities.

BrightBright. A good hack results from meeting a . A good hack results from meeting a challenge which will require in many cases challenge which will require in many cases exceptionally high intelligence.exceptionally high intelligence.

Understanding, Prediction and ControlUnderstanding, Prediction and Control. These three . These three conditions seem to bring a sense of competence, conditions seem to bring a sense of competence, mastery, and self-esteem.mastery, and self-esteem.

Computer fascination.Computer fascination. For many of us the computer is For many of us the computer is simply a tool. For the hacker it is an unendingly simply a tool. For the hacker it is an unendingly fascinating toy - a mystery wrapped in an enigma to fascinating toy - a mystery wrapped in an enigma to be explored and understood.be explored and understood.

No malice.No malice. The good hacker does no damage. The good hacker does no damage.

99

Social view isSocial view is Misguided youthsMisguided youths. Hackers are misguided youths and are . Hackers are misguided youths and are

essentially harmless. essentially harmless. Their intelligence and creativity should be encouraged but Their intelligence and creativity should be encouraged but

directed toward more constructive channels.directed toward more constructive channels. Security specialistsSecurity specialists. Hackers know the corporate security . Hackers know the corporate security

weaknesses. weaknesses. They should be hired as security specialist and their They should be hired as security specialist and their

expertise utilized to protect the corporate vital information expertise utilized to protect the corporate vital information resources.resources.

ScumbagsScumbags. Hackers are the scum of the earth and should be . Hackers are the scum of the earth and should be treated as varmints and hunted down with dogs and put away treated as varmints and hunted down with dogs and put away for life.for life.

Ordinary criminalsOrdinary criminals. Hackers should be treated no different than . Hackers should be treated no different than any other criminals. any other criminals. Human nature inevitably breeds Human nature inevitably breeds predatorspredators and it is the and it is the

responsibility of everyone to put in place the necessary responsibility of everyone to put in place the necessary controls to protect their valuablescontrols to protect their valuables

1010

From the Hacker’s mouthFrom the Hacker’s mouth "Hacking to me [is] to"Hacking to me [is] to transcend custom transcend custom and and engage in creativityengage in creativity

for its own sake..." for its own sake..." "For the most part, its simply "For the most part, its simply a mission of explorationa mission of exploration. In the . In the

words of the captain of the starship Enterprise, Jean-Luc words of the captain of the starship Enterprise, Jean-Luc Picard, "Let's see what's out there!"Picard, "Let's see what's out there!"

"Its like picking a lock on a cabinet to get a screwdriver to fix a "Its like picking a lock on a cabinet to get a screwdriver to fix a radio. As long as you put it back radio. As long as you put it back what's the harm?what's the harm?""

"Although computers are part "property" and part "Although computers are part "property" and part "premises" ..... they are supreme instruments of speech..... We "premises" ..... they are supreme instruments of speech..... We must continue to have absolute must continue to have absolute freedom of electronic speechfreedom of electronic speech."."

"Thousands of people legally see and use this ever-growing "Thousands of people legally see and use this ever-growing mountain of data much of it erroneous. Whose rights are we mountain of data much of it erroneous. Whose rights are we violating when we peruse the file. ...Tviolating when we peruse the file. ...The invasion took place long he invasion took place long before the hacker ever arrived.before the hacker ever arrived.""

""Crime gets redefined all the timeCrime gets redefined all the time. Offend enough people or . Offend enough people or institutions and lo and behold, someone will pass a law."institutions and lo and behold, someone will pass a law."

"At the risk of sounding like some digital"At the risk of sounding like some digital posse comitatus posse comitatus, I , I say: say: Fear The Government That Fears Your Computer."Fear The Government That Fears Your Computer."

1111

What you mean by Hacker?What you mean by Hacker? A A HackerHacker is someone who has achieved some level is someone who has achieved some level

of expertise with computers.of expertise with computers. AA Cracker Cracker is someone who breaks into systems is someone who breaks into systems

without permission.without permission. A A Script KiddieScript Kiddie is someone who uses scripts or is someone who uses scripts or

programs from someone else to do his/her cracking.programs from someone else to do his/her cracking. Other terms are Other terms are leechleech, , warez puppy, warez dood, warez puppy, warez dood,

lamerlamer and and rodent.rodent. A A PhreakerPhreaker is a hacker who specializes in telephone is a hacker who specializes in telephone

systems.systems. A A White HatWhite Hat is someone who professes to be strictly is someone who professes to be strictly

a good guy.a good guy. A A Black HatBlack Hat is someone who is viewed as a bad guy. is someone who is viewed as a bad guy. A A Grey Hat Grey Hat is someone who falls in between White is someone who falls in between White

and blackand black

1212

What motivates the hacker?What motivates the hacker?

Psychological Need/Recognition.Psychological Need/Recognition. Desire to Learn/Curiosity.Desire to Learn/Curiosity. Revenge/Maliciousness.Revenge/Maliciousness. Experimentation.Experimentation. Gang Mentality.Gang Mentality. Misguided trust in other individuals.Misguided trust in other individuals. Altruistic reasons.Altruistic reasons. Self-gratification.Self-gratification. Desire to Embarrass.Desire to Embarrass. Joyriding.Joyriding. Scorekeeping.Scorekeeping. Espionage. Espionage. Cyber-WarriorCyber-Warrior

1313

Typical attacks areTypical attacks are

Insider Attack.Insider Attack. Social Engineering.Social Engineering. Virus Infiltration.Virus Infiltration. Denial of Service.Denial of Service. Software Bug.Software Bug. Password Infiltration.Password Infiltration. Lack of Security Infiltration.Lack of Security Infiltration. IP Spoofing.IP Spoofing. Trojan Horse.Trojan Horse. Stealth Infiltration.Stealth Infiltration. Brute Force.Brute Force. TCP/IP Protocol Flaw.TCP/IP Protocol Flaw. Worms and virusesWorms and viruses

1414

Typical Attacks come fromTypical Attacks come from

49% are inside employees or contractors on the internal network. 17% come from dial-up from inside employees. 34% are from the Internet. The major financial loss is due to internal hacking.

1515

What characteristics make a What characteristics make a GOODGOOD target?target?

Lax SecurityLax Security (Hard on the outside, soft on the (Hard on the outside, soft on the inside!).inside!).

High visibility makes a good High visibility makes a good "Scorekeeper""Scorekeeper" site. site. High visibility makes a good High visibility makes a good "Embarrassment""Embarrassment" site. site. Resources Resources that are useful to the hacker.that are useful to the hacker. DestructionDestruction of ability to provide service to customer. of ability to provide service to customer.

1616

ExamplesExamples The Cuckoo's EggThe Cuckoo's Egg discussed four hackers, Dirk Brzesinski, discussed four hackers, Dirk Brzesinski,

Peter Carl, Markus Hess and Karl Koch, from Hannover, Peter Carl, Markus Hess and Karl Koch, from Hannover, Germany, penetrated or attempted penetration of at least 50 Germany, penetrated or attempted penetration of at least 50 computers connected to MILNET. computers connected to MILNET. These systems included the Pentagon, Lawrence Livermore Labs, These systems included the Pentagon, Lawrence Livermore Labs,

the Los Alamos Nuclear Weapons Systems and the National the Los Alamos Nuclear Weapons Systems and the National Computer Security Center. Computer Security Center.

They exploited these systems by means of weaknesses in TCP/IP They exploited these systems by means of weaknesses in TCP/IP and the UNIX operating systems. and the UNIX operating systems.

One of their favorite techniques was to plant Trojan Horses to One of their favorite techniques was to plant Trojan Horses to steal authorized passwords.steal authorized passwords.

The The German Chaos Computer ClubGerman Chaos Computer Club brought "chaos" to the brought "chaos" to the national Aeronautics and Space Administration computer national Aeronautics and Space Administration computer systems in the late 1980s. systems in the late 1980s. They primarily planted Virus programs at the Goddard Space They primarily planted Virus programs at the Goddard Space

Flight Center in Greenbelt, Md. Flight Center in Greenbelt, Md. They gained access through a Unix flaw that the system They gained access through a Unix flaw that the system

administrator had failed to patch.administrator had failed to patch.

1717

ExamplesExamples Eberhard BlumEberhard Blum, part of the Bundesnachrichtendienst (BND), is reputed , part of the Bundesnachrichtendienst (BND), is reputed

to have instituted a program called Project Rehab composed of to have instituted a program called Project Rehab composed of computer scientist designed to penetrate the communications computer scientist designed to penetrate the communications systems of the Eastern block. systems of the Eastern block. This organization since the fall of the Eastern block is reputed to This organization since the fall of the Eastern block is reputed to

have targeted the west.have targeted the west. The The Direction Generale de la Securite ExterieurDirection Generale de la Securite Exterieur (the French CIA) is (the French CIA) is

reputed to target foreign businesses. reputed to target foreign businesses. Their favorite US targets seems to have been IBM and TI. Their favorite US targets seems to have been IBM and TI. They are reputed to search visitor rooms looking for information They are reputed to search visitor rooms looking for information

on laptops and to bug Air France flights. on laptops and to bug Air France flights. The French are reputed to auction these industrial secrets to the The French are reputed to auction these industrial secrets to the

highest corporate bidder.highest corporate bidder. The The Ministry for International TradeMinistry for International Trade (MITI) is reputed to coordinate the (MITI) is reputed to coordinate the

industrial espionage activities of Japanese corporations. industrial espionage activities of Japanese corporations. These secrets are funneled through MITI which uses the These secrets are funneled through MITI which uses the

information as part of their national industrial policy. information as part of their national industrial policy. China, the former Soviet Union, France, Japan, Israel, Sweden, China, the former Soviet Union, France, Japan, Israel, Sweden,

Switzerland and UK are reputed to be to be the most active in Switzerland and UK are reputed to be to be the most active in national national industrial espionageindustrial espionage

1818

ExamplesExamples Robert Morris JrRobert Morris Jr, Cornell University, brought the Internet to its , Cornell University, brought the Internet to its

knees in 1988 through the knees in 1988 through the "Internet Worm"Internet Worm". ". The Worm consumed computer resources making them The Worm consumed computer resources making them

unavailable to others thereby either halting the computer or unavailable to others thereby either halting the computer or slowing it to a crawl. The worm primarily consisted of two slowing it to a crawl. The worm primarily consisted of two attack programs. attack programs. A program designed to exploit the backdoor DEBUG A program designed to exploit the backdoor DEBUG

command in Sendmail, command in Sendmail, a Finger daemon program to inundate the Finger daemon's a Finger daemon program to inundate the Finger daemon's

input buffer and a password guessing program.input buffer and a password guessing program. The The Legion of Doom (LoD) Legion of Doom (LoD) and the and the Masters of Destruction(MoD)Masters of Destruction(MoD)

were two of the major computer gangs in the late 80s and early were two of the major computer gangs in the late 80s and early 90s. 90s. They were from Brooklyn, the Bronx and Queens. They were from Brooklyn, the Bronx and Queens. They wiretapped, intercepted data transmissions, They wiretapped, intercepted data transmissions,

reprogrammed phone computer switches, stole and sold reprogrammed phone computer switches, stole and sold passwords, etc. passwords, etc.

The LoD were convicted in 1992 apparently turned in as a The LoD were convicted in 1992 apparently turned in as a result of a falling out with other hackers.result of a falling out with other hackers.

1919

Rome Lab AttackRome Lab Attack On 28 March 1994 the Rome Labs Sysadmins detected a password On 28 March 1994 the Rome Labs Sysadmins detected a password

SnifferSniffer. . The Sniffer had collected so much information that it had filled The Sniffer had collected so much information that it had filled

a disk and crashed the systema disk and crashed the system Defense Information Systems Agency (DISA) was notified who, in Defense Information Systems Agency (DISA) was notified who, in

turn, notified AFOSI. Air Force Information Warfare Center (AFIWC) turn, notified AFOSI. Air Force Information Warfare Center (AFIWC) was notified and SA Jim Christi was assigned the case.was notified and SA Jim Christi was assigned the case.

The investigators, after reviewing the logs and interviewing the The investigators, after reviewing the logs and interviewing the Sysadmins, found that:Sysadmins, found that: The penetration was made on March 23 by two hackers.The penetration was made on March 23 by two hackers. They penetrated seven computers and planted sniffers.They penetrated seven computers and planted sniffers. 100 accounts on 30 systems were compromised.100 accounts on 30 systems were compromised. Rome Lab had been used as a jumping off point for hack Rome Lab had been used as a jumping off point for hack

attacks on other military, government and research facilities attacks on other military, government and research facilities around the world.around the world.

The Commanding officer was briefed and made the decision to The Commanding officer was briefed and made the decision to leave several systems open in the hopes of tracking the hackers.leave several systems open in the hopes of tracking the hackers. Pursue and ProsecutePursue and Prosecute

2020

Rome Lab AttackRome Lab Attack The investigative team established a snooper program that began The investigative team established a snooper program that began

key stroke monitoring on the systems left open and discovered the key stroke monitoring on the systems left open and discovered the hacker handles Datastream Cowboy and Kuji .hacker handles Datastream Cowboy and Kuji .

The majority of the attacks were traced back to:The majority of the attacks were traced back to: cyberspace.com, Seattle Washington and cyberspace.com, Seattle Washington and mindvox.com, New York City.mindvox.com, New York City.

On 5 April, an Internet informant provided AFOSI an EMail On 5 April, an Internet informant provided AFOSI an EMail address and home Telephone number (Datastream) in the UK of a address and home Telephone number (Datastream) in the UK of a hacker who had been hacker who had been braggingbragging about the exploit. about the exploit.

Scotland Yard initiated a pen register on the hackers telephone Scotland Yard initiated a pen register on the hackers telephone while AFOSI continued to monitor Datastream's online activity. while AFOSI continued to monitor Datastream's online activity. During this time, based upon sniffed passwords, he :During this time, based upon sniffed passwords, he : Attacked systems at the Jet Propulsion Lab in California and Attacked systems at the Jet Propulsion Lab in California and Attacked systems at the Goddard Space Flight Center, Attacked systems at the Goddard Space Flight Center,

Greenbelt ,Md Greenbelt ,Md Compromised an Aerospace contractor systems in California Compromised an Aerospace contractor systems in California

and Texasand Texas Initiated a scan against Brookhaven Labs , DOE, in NY.Initiated a scan against Brookhaven Labs , DOE, in NY.

2121

Rome Lab AttackRome Lab Attack On April 14/15, 1994 the investigative team observed Kuji initiate attacks On April 14/15, 1994 the investigative team observed Kuji initiate attacks

from Latvia against: from Latvia against: Goddard Space Flight CenterGoddard Space Flight Center Wright-Patterson AFBWright-Patterson AFB NATO HeadquartersNATO Headquarters

In the meantime Datastream was busily attacking the Korean Atomic In the meantime Datastream was busily attacking the Korean Atomic Research Inst. Alarm bells started going off until it was discovered to be Research Inst. Alarm bells started going off until it was discovered to be South Korea.South Korea.

In May, 1994 Scotland Yard executed a search warrant and arrested 16 In May, 1994 Scotland Yard executed a search warrant and arrested 16 year old Richard Pryce. His tool was a 25 Mhz, 486SX, 170 Mb machine.year old Richard Pryce. His tool was a 25 Mhz, 486SX, 170 Mb machine.

During the interview Datastream indicated:During the interview Datastream indicated: He communicated with Kuji only through the Internet or Telephone.He communicated with Kuji only through the Internet or Telephone. He provided the information he stole to Kuji.He provided the information he stole to Kuji. Kuji had been his mentor.Kuji had been his mentor.

Pryce pleaded guilty and was fined 1,200 pounds.Pryce pleaded guilty and was fined 1,200 pounds. In June 1996 21 year old Matthew Bevan, A.K.A. Kuji, was finally In June 1996 21 year old Matthew Bevan, A.K.A. Kuji, was finally

apprehended. In 1997 Charges against him were dropped due to lack of apprehended. In 1997 Charges against him were dropped due to lack of evidence. evidence. Kuji is now a security consultant. His web site is Kuji is now a security consultant. His web site is

www.bogus.net/kuji.www.bogus.net/kuji.

2222

A Typical Hacker Attack

2323

THE BOEING ATTACK - 1995THE BOEING ATTACK - 1995

INTERNET

November 19951. A computer consultant noticed the

system was sluggish.(a). He executed the top command

to determine what was slowing down the system.

(b). A program called vs was consuming a large amount of system resources and was running as superuser.

2. He next ran ps.a). vs did not appear so he

suspected a break-in. 3. He executed the Emacs dired

command and found the vs program in a directory called /var/.e/vs. 4. He next did a chdir() to the /var

directory and did a ls -a command.(a). The directory /var/.e was not

displayed.

Boeing Computer

Hacker

Trusted Connection Trusted Connection

Trusted Connection

Commercial Computer Government Computer

Modem Attack

Education Computer

5. The programmer used the tar

command to make a copy of the /var/.e, /bin and /etc directories.

(a) He copied this to another computer.

6. The programmer then shut down the system.7. He next examined the /bin/login file

and found it had been modified to allow logging in with a special password. 8. This seemed to be an exceptionally

sophisticated attack.

2424

THE BOEING ATTACK - 1995THE BOEING ATTACK - 1995

INTERNET

Boeing Computer

Hacker

Trusted Connection Trusted Connection

Trusted Connection

Commercial ComputerGovernment Computer

Modem Attack

Education Computer

9. He found the /var/.e/vs was a password sniffer which passed copied passwords to a remote computer. 10. He found the /bin/ls and /bin/ps

command had been modified to not display the directory /var/.e.11. He also found the /bin/ls, /bin/ps

and /bin/login file creation dates and modification times had been reset to the original dates and times.12. He found, in addition, that the

checksums for the modified commands matched those of the original unmodified versions.

A comparison of the modified programs with the backup version revealed the differences.

2525

Attack MethodologyAttack Methodology What to Attack (selecting a network/target)?What to Attack (selecting a network/target)?

1. Internet1. Interneta. Access the Network Information Center. The InterNic a. Access the Network Information Center. The InterNic

provides Registration (provides Registration (rs.internic.netrs.internic.net), Database ), Database ((ds.internic.netds.internic.net) and Information () and Information (is.internic.netis.internic.net) ) Services.Services.

b. b. whois whois server to obtain public information on hosts, server to obtain public information on hosts, networks, domains and system administrators.networks, domains and system administrators.

c. WWW using the Uniform Resource Locator(URL c. WWW using the Uniform Resource Locator(URL notation).notation).

d. DNS to acquire the dotted decimal address. d. DNS to acquire the dotted decimal address. e. e. traceroute traceroute to determine intermediate networks.to determine intermediate networks.f. SNMP to dump a router table.f. SNMP to dump a router table.g. g. Archie Archie to establish the locations of files. Archie is a to establish the locations of files. Archie is a

server with an index of filenames.server with an index of filenames.h. h. GopherGopher as an as an ftp ftp interface. Gopher allows access to interface. Gopher allows access to

resources through menus.resources through menus.

2626

Attack MethodologyAttack Methodology

2. Telecommunication/Modem2. Telecommunication/Modema. Social Engineering.a. Social Engineering.b. Dumpster Divingb. Dumpster Divingc. Demon Dialing(Scanning/Autodialing/WarDialing)c. Demon Dialing(Scanning/Autodialing/WarDialing)c. Wiretappingc. Wiretappingd. Optical-spyingd. Optical-spyinge. Cheese box(unauthorized call forwarding)e. Cheese box(unauthorized call forwarding)f. Piggybackingf. Piggybackingg. Call Forwardingg. Call Forwardingh. Password Breakerh. Password Breakeri. Parking Lotsi. Parking Lotsj. Shoulder Surfingj. Shoulder Surfingk. Socializingk. Socializingl. Stealing Laptopsl. Stealing Laptopsm. Wireless Communicationm. Wireless Communication

2727


Who to Attack (selecting a host)?Who to Attack (selecting a host)?1. 1. PingPing the address with an ICMP Echo Request. This can the address with an ICMP Echo Request. This can

also be used to find the route of the packet to the address.also be used to find the route of the packet to the address.2. DNS with a reverse name look-up to translate the numeric 2. DNS with a reverse name look-up to translate the numeric

address into a domain name address.address into a domain name address.3. DNS HINFO records provide the hardware and operating 3. DNS HINFO records provide the hardware and operating

systems release which will be helpful in formulating an systems release which will be helpful in formulating an attack. attack.

4. 4. Pinglist Pinglist (a modification of traceroute with udp) to map the (a modification of traceroute with udp) to map the network.network.

5. Netmappers are publicly available.5. Netmappers are publicly available.6. Portmappers are publicly available.6. Portmappers are publicly available.7. The Login Screen can be used to derive information about 7. The Login Screen can be used to derive information about

the target.the target.Note: Breadth is more important than innovation

Select a known vulnerability rather than expose a new one.

2828

Attack MethodologyAttack Methodology Testing the host (finding a weakness).Testing the host (finding a weakness).

Note: Weaknesses are generally specific to an operating system, host Note: Weaknesses are generally specific to an operating system, host hardware or due to old bugs that have not been patched.hardware or due to old bugs that have not been patched.

Utilize Internet Security Scanner(ISS) or Security Analysis Tool for Utilize Internet Security Scanner(ISS) or Security Analysis Tool for Auditing Networks(SATAN) to scan for various holes.Auditing Networks(SATAN) to scan for various holes.

a. Check for unprotected logins or mail alias( a. Check for unprotected logins or mail alias( syncsync,,guestguest,,lplp,etc.). ,etc.). Does not require a password.Does not require a password.

b. Connect to mail port with Telnet and logs mailer type and b. Connect to mail port with Telnet and logs mailer type and version.version.

c. Attempts an c. Attempts an anonymous FTPanonymous FTP connection and trys to grab the connection and trys to grab the /etc/passwd/etc/passwd file by using the root account. May want a list of file by using the root account. May want a list of supported commands. supported commands.

d. d. rpcinforpcinfo to test for services running. This program prints out the to test for services running. This program prints out the current current portmapperportmapper which details what Remote Procedure which details what Remote Procedure programs, ports, and protocols are active. Looking for programs, ports, and protocols are active. Looking for NFS/mountd, yp/ms, rexd.NFS/mountd, yp/ms, rexd.

e. e. ypxypx to attempt to grab the passwords through the to attempt to grab the passwords through the Network Network Information System(NIS)Information System(NIS), originally called , originally called Yellow PagesYellow Pages, in order , in order to invoke some type of to invoke some type of dictionary attackdictionary attack..

f. f. Transitive Trust AnalyserTransitive Trust Analyser to learn the source of logins and to to learn the source of logins and to recursively probe those hosts.recursively probe those hosts.

g. g. fpingfping to determine Internet connection or Firewall. to determine Internet connection or Firewall.

2929


Hacker goals after penetrationHacker goals after penetration Leave Leave no evidenceno evidence of the successful attack. of the successful attack.

The good hack retains a cloak of invisibility.The good hack retains a cloak of invisibility. Fetch and crack the Fetch and crack the /etc/passwd /etc/passwd file.file. Obtain machineObtain machine root(superuser) root(superuser) access. access. Install Install password sniffing toolspassword sniffing tools to collect data for later to collect data for later

retrieval.retrieval. Install two or moreInstall two or more security backdoors security backdoors (security holes).(security holes). Check theCheck the /etc/hosts /etc/hosts or or .rhosts.rhosts files for trusted hosts. files for trusted hosts. Check the Check the mail aliasmail alias database and database and log files.log files. Run security auditing programs such as:Run security auditing programs such as:

– COPSCOPS– Internet Security Scanner(ISS)Internet Security Scanner(ISS)– Security Analysis Tool for Auditing Networks(SATANSecurity Analysis Tool for Auditing Networks(SATAN

3030

- - A Hackers ViewA Hackers View - -

3131

Hacker isHacker is

Note: A hacker spends 60-70 hours/week Hacking! Why?

A challenge/A game of wits/skill and ingenuity. A sense of enjoyment/Accomplishment. Intensely interested in computers.

Hacker Profile: Teens or early twenties. A fast learner. Academically advanced. Bored in school. Hackers grow up to become computer

professionals.As many as 80% of all system operators

claim to have hacked.

3232

Hacker isHacker is

The Student: Very bright but bored. Excited by learning more about computers.

They will spend days examining files on a system. Hacking is a solitary pastime - not antisocial behavior. Generally adheres to good computer ethics.

He wants to remain undiscovered so he can use the system.

He wants to stay out of trouble. He respects the system/programmers and doesn't want to

create additional work. He may seek employment with the company (at just the

right time with just the right credentials).

3333

Hacker isHacker is

The Crasher:A troublemaker. No obvious purpose or logic to their hacking.Makes themselves visible by creating as much trouble as

possible.They are very patient and plan their attack to accomplish

the most damage.Erases programs, files, etc

Crashers don't have a good reputation with other hackers.They crash hacker bulletin boards, close down

hacker accounts, etc.The Crasher must be stopped during the reconnaissance

phase.

3434


Step One - The Target Reconnaissance. Target Reconnaissance, sometimes called footprinting,

is when the Hacker gathers information about the target system and the network.

Search the Internet - Web sites, IRC, newsgroups, etc.

Use the Domain Information Grouper(DIG) to attempt a Zone Transfer.

Gather information on network users through the Web, newsgroups, telephone books, Social Engineering, Dumpster Diving, examine cars, etc. This will reveal password combination and the

policy for determining user names.

3535

Attack MethodologyAttack Methodology For example:

whois xyz.abc will find hosts on the xyz.com network nslookup on xyz.abc will return information

contained in the xyz.xom DNS. utilize a zone transfer program (DIG or named.xfer)

to retrieve the DNS files from the primary DNS. Utilize the ping command to determine which

systems are connected to the Internet. telnet navy.mil will determine the machine type and

OS version. Utilize telnet to port 25 to determine the sendmail

version and machine type. Utilize rpcinfo to scan for active ports and return a

list of rpc programs running on the machine w/version numbers and port numbers.

Utilize finger to get a list of users on the system, etc.

3636

Typical Hacker AttacksTypical Hacker Attacks VIRUS. A self-replicating, malicious program segment that VIRUS. A self-replicating, malicious program segment that

attaches itself to legitimate application programs, operating attaches itself to legitimate application programs, operating system commands or other executable system components system commands or other executable system components and spreads from one system to another. and spreads from one system to another. Each reproduced virus code then grows independently of Each reproduced virus code then grows independently of

the other. the other. The virus grows geometrically.The virus grows geometrically.Boot Sector. A virus that replaces the boot sector of a floppy Boot Sector. A virus that replaces the boot sector of a floppy

or hard drive.or hard drive.System File. A virus that infects system files.System File. A virus that infects system files.Stealth. A virus that hides itself and actions from the Stealth. A virus that hides itself and actions from the

operating system.operating system.Polymorphic. A virus that changes itself each time it infects a Polymorphic. A virus that changes itself each time it infects a

file or disk. This virus hides itself and its actions from the file or disk. This virus hides itself and its actions from the operating system.operating system.

Multi-Parite. This virus infects both files and boot sectors.Multi-Parite. This virus infects both files and boot sectors.Macro Virus. This virus is written in a macro language and is Macro Virus. This virus is written in a macro language and is

commonly found in software containing a scripting commonly found in software containing a scripting language such as Word, Excel, and Powerpoint. language such as Word, Excel, and Powerpoint.

3737

Typical Hacker AttacksTypical Hacker Attacks

WORM. An independent program that replicates WORM. An independent program that replicates from machine to machine across network from machine to machine across network connections and that clogs networks and computer connections and that clogs networks and computer systems as it spreads.systems as it spreads. It is designed to search for idle computer It is designed to search for idle computer

memory and then to copy itself repeatedly until memory and then to copy itself repeatedly until the memory is exhausted and the computer the memory is exhausted and the computer crashes. crashes.

A worm is not a virus although they are A worm is not a virus although they are sometimes confused. sometimes confused.

A virus must infect other programs with a copy A virus must infect other programs with a copy of itself. of itself.

The most famous is the Internet Worm by The most famous is the Internet Worm by Robert Morris. Robert Morris.

3838


IMPERSONATION. An attempt to gain access to a system by IMPERSONATION. An attempt to gain access to a system by posing as an authorized user. Synonymous with masquerading posing as an authorized user. Synonymous with masquerading and mimicking.and mimicking.

Example: using another person's access code to log on.Example: using another person's access code to log on.• BOMBS. A computer program residing in a computer that is BOMBS. A computer program residing in a computer that is

executed at appropriate or periodic times to determine executed at appropriate or periodic times to determine conditions or states of a computer system and that facilitates conditions or states of a computer system and that facilitates the perpetration of an unauthorized act. the perpetration of an unauthorized act.

Example: a program that causes the system to erase all financial Example: a program that causes the system to erase all financial files when it discovers that a particular person has been files when it discovers that a particular person has been removed from the personnel files. Writing Logic Bombs is very removed from the personnel files. Writing Logic Bombs is very easy but difficult to detect.easy but difficult to detect. A Time Bomb has a time trigger. A Time Bomb has a time trigger. A Logic Bomb has a computer state trigger.A Logic Bomb has a computer state trigger.

3939

Typical Hacker AttacksTypical Hacker Attacks TRAP DOOR. A breach created intentionally in an ADP system TRAP DOOR. A breach created intentionally in an ADP system

for the purpose of collecting, altering or destroying data. for the purpose of collecting, altering or destroying data. Generally done through putting extra code in a Generally done through putting extra code in a

software program which acts as a testing aid for software program which acts as a testing aid for programmers during construction, testing or program programmers during construction, testing or program maintenance.maintenance.

TROJAN HORSE. A computer program that is apparently or TROJAN HORSE. A computer program that is apparently or actually useful but that performs another function. actually useful but that performs another function. The Trojan can modify databases, write checks, send The Trojan can modify databases, write checks, send

electronic mail, destroy File Allocation Tables, electronic mail, destroy File Allocation Tables, directories or files. directories or files.

The Trojan Horse can be embedded by a programmer The Trojan Horse can be embedded by a programmer or down loaded from a BBS. or down loaded from a BBS.

Most Trojan Horses in the microcomputer detonate Most Trojan Horses in the microcomputer detonate their payload the moment they run not only carrying their payload the moment they run not only carrying out their intended function but also destroying out their intended function but also destroying themselves.themselves.

4040

Typical Hacker AttacksTypical Hacker Attacks SOFTWARE PIRACY. The illegal copying of software (and SOFTWARE PIRACY. The illegal copying of software (and

repackaging it for sale). repackaging it for sale). Software piracy is being fought by the Software Software piracy is being fought by the Software

Publishing Association. Publishing Association. Indications are that this amounts to between 4-7$ Indications are that this amounts to between 4-7$

billion loss in sales. billion loss in sales. This results from individual copying, Pirate BBS, This results from individual copying, Pirate BBS,

country piracy(China, Taiwan, Singapore, etc)and try country piracy(China, Taiwan, Singapore, etc)and try before buying rental/loans.before buying rental/loans.

SNIFFING. The installation of protocol analyzer software SNIFFING. The installation of protocol analyzer software program (Sniffer) to gather surreptitiously gather user program (Sniffer) to gather surreptitiously gather user passwords and passwords and log them into and unused space under an innocuous log them into and unused space under an innocuous

name, such as "..". name, such as "..". The hacker at some time in the future will return and The hacker at some time in the future will return and

download the passwords and if necessary employ a download the passwords and if necessary employ a Password Cracker. Password Cracker.

4141


BROWSING. Searching through storage to locate or acquire BROWSING. Searching through storage to locate or acquire information, without necessarily knowing of the existence or information, without necessarily knowing of the existence or the format of the information being sought.the format of the information being sought.

DATA DIDDLING. The unauthorized changing of data before or DATA DIDDLING. The unauthorized changing of data before or during their input to a computer system resulting in increased during their input to a computer system resulting in increased paychecks, extra leave, overtime pay, etc.paychecks, extra leave, overtime pay, etc.

EMBEZZELING. Using a computer to prepare false financial EMBEZZELING. Using a computer to prepare false financial reports.reports.

FORGERY. The illegal creation of documents or records FORGERY. The illegal creation of documents or records which are intended to be construed as real, officially produced which are intended to be construed as real, officially produced documents or records. documents or records. For example, using desktop publishing to create a For example, using desktop publishing to create a

false drivers license, social security card or passport.false drivers license, social security card or passport.

4242


FRAUD. The exploitation of information systems in an attempt FRAUD. The exploitation of information systems in an attempt to deceive an organization and/or to take its resources.to deceive an organization and/or to take its resources.

DENIAL OF SERVICE. This is performed by trashing a system, DENIAL OF SERVICE. This is performed by trashing a system, tying up ports, placing garbage on screens, changing file tying up ports, placing garbage on screens, changing file names, and erasing program files. names, and erasing program files. This type attack is becoming more This type attack is becoming more

common( Spamming, SYN Attack, etc).common( Spamming, SYN Attack, etc). SPOOFING. The deliberate inducement of a user or a resource SPOOFING. The deliberate inducement of a user or a resource

to take incorrect action. to take incorrect action. Example: a user writes a program that gives "system Example: a user writes a program that gives "system

like" responses to someone trying to log on the like" responses to someone trying to log on the system; thus, the person trying to log on will system; thus, the person trying to log on will unwittingly give his password to the person/program unwittingly give his password to the person/program doing the spoofing.doing the spoofing.

4343

Typical Hacker AttacksTypical Hacker Attacks SUPERZAPPING. The unauthorized use of a utility computer SUPERZAPPING. The unauthorized use of a utility computer

program that violates computer access controls to modify, program that violates computer access controls to modify, destroy, copy, disclose, insert, use , deny use or expose data destroy, copy, disclose, insert, use , deny use or expose data in a computer. in a computer. The name derives from an IBM utility program called "Superzap" which The name derives from an IBM utility program called "Superzap" which

permitted an operator to start, stop or modify a procedure that has been permitted an operator to start, stop or modify a procedure that has been misbehaving. misbehaving.

The equivalent in a microcomputer would be something like PC Tools or The equivalent in a microcomputer would be something like PC Tools or Norton Utility.Norton Utility.

SALAMI TECHNIQUES. The unauthorized, covert process of taking small SALAMI TECHNIQUES. The unauthorized, covert process of taking small amounts (slices) of money from many sources in and with the aid of a amounts (slices) of money from many sources in and with the aid of a computer. computer. An example is the round down fraud, whereby remainders from the An example is the round down fraud, whereby remainders from the

computations of interest are moved to the attackers account instead of computations of interest are moved to the attackers account instead of being systematically distributed among accounts that were rounded up. being systematically distributed among accounts that were rounded up.

The story is told of a Russian worker who left the factory each night with a The story is told of a Russian worker who left the factory each night with a wheelbarrow full of sawdust and every night the guard poked the sawdust wheelbarrow full of sawdust and every night the guard poked the sawdust and upon finding nothing let him pass. Several years later, after both were and upon finding nothing let him pass. Several years later, after both were retired, they accidentally met in a bar and the guard asked him what he retired, they accidentally met in a bar and the guard asked him what he was stealing in the wheelbarrow to which the worker replied: "Oh, I was was stealing in the wheelbarrow to which the worker replied: "Oh, I was stealing the wheelbarrows."stealing the wheelbarrows."

4444

Typical Hacker AttacksTypical Hacker Attacks PIGGY BACKING. Unauthorized access that is gained to an ADP system PIGGY BACKING. Unauthorized access that is gained to an ADP system

via another user's legitimate connection. via another user's legitimate connection. A method of gaining unauthorized physical access to guarded areas A method of gaining unauthorized physical access to guarded areas

when the attacker does not possess the required authorization to pass.when the attacker does not possess the required authorization to pass. Electronic piggybacking occurs when a computer or terminal covertly Electronic piggybacking occurs when a computer or terminal covertly

shares the same communication line as an authorized user. The host shares the same communication line as an authorized user. The host computer, to which they both transmit, is unable to distinguish the computer, to which they both transmit, is unable to distinguish the signals of the authorized user from those of the unauthorized user. signals of the authorized user from those of the unauthorized user.

EAVESDROPPING. The unauthorized interception of information-bearing EAVESDROPPING. The unauthorized interception of information-bearing emanations through the use of methods other than wiretapping(TEMPEST).emanations through the use of methods other than wiretapping(TEMPEST).

SCAVENGING. Searching through residue for the purpose of unauthorized SCAVENGING. Searching through residue for the purpose of unauthorized data acquisition. data acquisition. A covert, unauthorized method of obtaining information that may be A covert, unauthorized method of obtaining information that may be

left in or around a computer system after the execution of a job. left in or around a computer system after the execution of a job. Included here is a physical search (trash barrels, carbon copies, Included here is a physical search (trash barrels, carbon copies,

ribbons, diskettes, etc) and a search for residual data within the ribbons, diskettes, etc) and a search for residual data within the computer storage areas, temporary storage tapes, and the like. computer storage areas, temporary storage tapes, and the like.

This, for example, encompasses dumpster diving, unerasing diskette This, for example, encompasses dumpster diving, unerasing diskette files, examining scratch tapes and looking at old ribbons.files, examining scratch tapes and looking at old ribbons.

4545

Typical Hacker AttacksTypical Hacker Attacks BUMBLING. Sometimes called "accidents", "errors of omission", or BUMBLING. Sometimes called "accidents", "errors of omission", or

"errors of commission". "errors of commission". Indications are that this amounts to 50-60% of annual dollar loss. Indications are that this amounts to 50-60% of annual dollar loss.

This is the result of clumsy fingers, big thumbs, and improper This is the result of clumsy fingers, big thumbs, and improper training, training,

DATA LEAKAGE. The covert copying of computer information and DATA LEAKAGE. The covert copying of computer information and its removal from the organization. its removal from the organization. For example, this could be as simple as the copying of a software For example, this could be as simple as the copying of a software

program for home use. program for home use. This can be accomplished through diskettes, tape or hard copy. This can be accomplished through diskettes, tape or hard copy.

Very rarely do guards perform body checks or open brief cases.Very rarely do guards perform body checks or open brief cases. WIRETAPPING. Normally accomplished at the wiring closet. WIRETAPPING. Normally accomplished at the wiring closet.

Passive Wiretapping with electrical induction can easily be Passive Wiretapping with electrical induction can easily be accomplished with a tape recorder, microphone, AM/FM portable accomplished with a tape recorder, microphone, AM/FM portable radio, a modem and a printer. The cassette recorder, through radio, a modem and a printer. The cassette recorder, through induction picks up the signal, amplifies it through the radio, induction picks up the signal, amplifies it through the radio, perhaps acoustic coupling it through a modem which converts perhaps acoustic coupling it through a modem which converts the analog signal to digital for printing. the analog signal to digital for printing.

Active Wiretapping is the monitoring and recording of data while Active Wiretapping is the monitoring and recording of data while the data is being transmitted over a communications link.the data is being transmitted over a communications link.

HACKERS - The Modern Roadwarrior-

Documents

Transcript of HACKERS - The Modern Roadwarrior-