Hacking as Warfare

Tony Villasenor
Director of Technical Services

GeoTrust Inc.
Previous Posts: Director, NASA Science Internet Chair, Federal Network Council (CERT, etc.) Architect: Russian Science Internet Consultant: USAID, DOS, WHO
6/27/2013 Hacking as Warfare 1

Hacking as Warfare
TECHNOLOGY Network-based attack tools Network defense tools PSYCHOLOGY Why do it? CYBER TERRORISM Terrorist Terrorist sympathizers Targeted countries IMPACT ON CITIZENS
6/27/2013 Hacking as Warfare 2

Network Security Issues Part 1 of 2

(A Playground for Hackers)

6/27/2013

Hacking as Warfare

Network-Based Attacks
Better Accessibility because of the network
Web sites Email Servers File Servers DNS Servers Routers Etc.

6/27/2013

Hacking as Warfare

Web Attacks
Buffer Overflow:
- Occurs when a program does not check to make sure the data it is putting into a space will actually fit into that space - A vulnerability exists in Microsoft IIS 5.0 running on Windows 2000 that allows a remote intruder to run arbitrary code on the victim machine, allowing them to gain complete administrative control of the machine - IIS %c1%1c bug

(http://www.wiretrip.net/rfp/p/doc.asp?id=57)

Apache HTTP Server version 1.3.19

- could allow a remote attacker to send an HTTP request to cause the server to crash with unexpected behavior.

6/27/2013

Hacking as Warfare

Web Attacks
Semantic attacks
changing the web content subtly, thus providing false information Active-X, Java cookies containing executable code (like BO2K)

Web Admin utilities

NATd servers are less visible Static IP is bad! http://www.sans.org/newlook/resources/IDFAQ/DIC.htm FAQs http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html

6/27/2013

Hacking as Warfare

Examples of Web Attacks

Cracking Session ID numbers
https://www.tonybank.com/account.asp?sid=123456 78 URL session tracking Hidden form elements Cookies

Cracking a SQL database

Enter an incorrect string to get an error message which shows how the database forms a query. http://www.wiretrip.net/rfp/p/doc.asp?id=42

6/27/2013

Hacking as Warfare

Examples of Web Attacks (cont.)

Loki
- Uses ICMP (ping) as a tunnel for communications and control - See Phrack Issue 49 - Allows command-line access to machine via HTTP port - Requires inside job to install/run the Reverse WWW Shell server - Looks like ordinary HTTP traffic, allowed by firewalls!

Reverse WWW Shell

Steganography & Digital Watermarking

- Distribute MALware by embedding code in .bmp, .jpeg or .gif images
6/27/2013 Hacking as Warfare 8

Security Mavens Invaded by Trojan (1 of 2)

http://www.wired.com/news/technology/0,1282,41563,00.html by Michelle Delio 10:35 a.m. Feb. 1, 2001 PST A popular Web discussion board in which the subject is computer security became the unwitting host of an attack program directed at security consultant firm Network Associates Wednesday night. A cracker posted to the Bugtraq board what he said was a script -- computer code that would allow people to take advantage of a recently discovered hole in BIND, the software that pushes information across the Internet.

6/27/2013

Hacking as Warfare

Security Mavens Invaded by Trojan (2 of 2)

But if someone downloaded and ran the posted script, it instead launched a denial of service attack against Network Associates (NAI) by sending packets of garbage information in the hopes of overwhelming the firm's servers. Since Network Associates had already patched the hole, its website's performance wasn't adversely affected. "We have determined that a distributed denial of attack was directed at NAI last night," an NAI spokeswoman said, "but no penetration to the corporate network took place. We are continuing to investigate the origin of this attack." NAI was the first to raise the alarm over the BIND exploit, and Bugtraq spokesperson Elias Levy said he assumes that the attack was intended to see if NAI had practiced what they preached and patched the hole.
6/27/2013 Hacking as Warfare 10

Information Security Magazine (Oct. 2001)

http://www.infosecuritymag.com/articles/october01/images/survey.pdf

Survey Finds Web Server Attacks Doubled in 2001

By Amy Newman October 10, 2001
IT and computer security magazine Information Security this week released the findings of its 2001 Information Security Industry Survey. The survey was co-sponsored by TruSecure Corp. (Information Security's parent company) and Predictive Systems. Despite enterprises' claims of increased corporate spending on computer security, survey results revealed that cyber attacks and viruses have continued to impact organizations with alarming frequency.

6/27/2013

Hacking as Warfare

11

Information Security Magazine (Oct. 2001)

Almost half of the more than 2,500 organizations surveyed were hit by a Web server attack in 2001, nearly double the number hit in 2000. Viruses, worms, Trojans Horses, and other "malware" infected 90 percent of these organizations, even with antivirus protection in place in 88 percent of those surveyed. "The survey proves just how pervasive and serious attacks like Code Red and Nimda are," said Andy Briney, editor in chief of Information Security and lead analyst of the survey. "Even 'security-aware' organizations are being attacked on all sides, both internally and externally, Briney added. One cure for those hit by both Code Red and Nimda may be migration to a Web server other than IIS. An advisory issued by Gartner last month recommended that enterprises hit by both Code Red and Nimda begin investigating alternatives to the popular Microsoft product, such as moving Web applications to less-vulnerable Web server products.
6/27/2013 Hacking as Warfare 12

E-Mail Attacks
Email bombing
repeatedly sending an identical email message to a particular address. http://www.cert.org/tech_tips/email_bombing _spamming.html

MALware Attachments:
worms, viruses, trojan horses, etc.

SPAM
Unsolicited junk mail At sites with mailers that permit relaying
6/27/2013 Hacking as Warfare 13

E-Mail Attacks
RTF files are ASCII text files and include embedded formatting commands. RTF files do not contain macros and cannot be infected with a macro virus.

An MP3 file consists of highly

compressed audio tracks. MP3 files are not programs, and viruses cannot infect them.
6/27/2013 Hacking as Warfare 14

SPAM Control
Scheck_rcpt # anything terminating locally is ok R< $+ @ $=w > $@ OK # anything originating locally is ok R$* $: $(dequote "" $&{client_name} $) R$=w $@ OK R$@ $@ OK # anything else is bogus R$* $#error $: "550 Relaying Denied"
Three rules for controlling SPAM; code is inserted in sendmail.cf file

6/27/2013

Hacking as Warfare

15

Network Attacks
DOS, DDoS: coordinated attack by one or multiple sources
SYN flooding: http://www.cert.org/advisories/CA-1996-21.html Aided by proliferation of DSL home users

DNS, BIND
Redirection :the site youre on, is not really the site you think youre on ! Vulnerability in BIND to allow remote user to gain privileged access

Routers
Change routing information to disable network Ciscos IOS proliferates the worldwide backbone of the Internet

Sniffers
examine network traffic going to and from other machines gather usernames and passwords capture electronic mail

6/27/2013

Hacking as Warfare

16

Network Attacks (cont.)

Firewalls IDS, HoneyPots, SATAN, vulnerability scanners
http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm

Tripwire to detect configuration changes

6/27/2013

Hacking as Warfare

17

Example: DOS
http://www.cert.org/tech_tips/denial_of_service.html
Denial-of-Service attacks are most frequently executed against network connectivity. The goal is to prevent hosts or networks from communicating over the network. A description of how this can occur is at: http://www.cert.org/advisories/CA-199621.html In this case, the hacker begins the process of connecting to the victim machine, but in such a way as to PREVENT the completion of the connection. Since the victim machine has a limited number of data structures for connections, the result is that legitimate connections are denied while the victim machine is waiting to complete bogus half-open connections.

6/27/2013

Hacking as Warfare

18

Example: DOS (cont.)

This type of attack does not depend on the attacker being able to consume your network bandwidth. Here, the intruder is consuming kernel data structures involved in establishing a network connection. The implication is that an intruder can execute this attack from just a dial-up connection against a machine on a very fast network. An intruder may also be able to consume all the available bandwidth on your network by generating a large number of packets directed to your network. Typically, these packets are ICMP ECHO packets, but in principle could be anything (smurfing). Further, the intruder need not be operating from a single machine he may be able to coordinate or co-opt several machines on different networks to achieve the same effect: hence, DDoS. In addition to network bandwidth, intruders could consume other resources: for example, anything that allows data to be written to disk can be used to execute a DOS attack if there are no bounds on the amount of data that could be written.
6/27/2013 Hacking as Warfare 19

Denial of Service Attacks

http://www.cert.org/present/cert-overview-trends/sld001.htm

Make networks or hosts unusable Disrupt services Difficult or Impossible to locate source Becoming very popular with attackers, especially
IRC sites Controversial sites or services

Bottom Line: COSTLY!

6/27/2013

Hacking as Warfare

20

Back Orifice 2000

http://www.commandcom.com/virus/backorifice2000.html
Ping and query the server Reboot or lock up the system List cached and screen saver passwords Display system information Log keystrokes, view the keystroke log and delete the keystroke log Display a message box Map a port to another IP address, application, HTTP file server, or
filename

List ports mapped by BackOrifice 2000 Send a file through another port Share a drive, unshare a drive, list shared drives, list shared devices on a LAN, mapped a shared device, unmap a shared device and list all connections
6/27/2013 Hacking as Warfare 21

Back Orifice 2000 (cont.)

List current processes, kill a process and start a process View and edit the registry - create a key, set a value, get a value, delete a key, delete a value, rename a key, rename a value, enumerate keys and enumerate values Video and audio capture and playback Capture a screen shot File and directory commands - list directory, find file, delete file, view file, move file, rename file, copy file, make directory, remove directory and set file attributes Receive and send files Compress and uncompress files Resolve host name and address Server control - shutdown server, restart server, load plug-in, remove plug-in and list plug-ins
6/27/2013 Hacking as Warfare 22

Intruder Detection Checklist

http://www.cert.org/tech_tips/intruder_detection_checklist.html Look for Signs That Your System May Have Been Compromised 1. Examine log files 2. Look for setuid and setgid Files 3. Check system binaries 4. Check for packet sniffers 5. Examine files run by 'cron' and 'at'. 6. Check for unauthorized services 7. Examine /etc/passwd file 8. Check system and network configuration 9. Look everywhere for unusual or hidden files 10. Examine all machines on the local network
6/27/2013 Hacking as Warfare 23

Other Attack Methods

Piggyback
gain unauthorized access to a system via an authorized user's legitimate connection.

Redirects
The action used by some viruses to point a command to a different location. Often this different location is the address of the virus and not the original file or application

6/27/2013

Hacking as Warfare

24

Other Attack Methods (cont.)

Social Engineering
Authority Attack: using fake badge, uniform, to gain info or access or identify a key individual as alleged friend, or claim authority and demand information Knee Jerk Attack: making an outlandish statement in order to get an informational response Persistent Attack: continuous harassment using guilt, intimidation and other negative ways to obtain information Social Attack: social parties are a great time and place to gain access and information from/about employees and activities Fake Survey Attack: win a free trip to Hawaii, just answer these questions about your network Help Desk Attack: impersonating a current or new end-user needing help with access to a net/server
6/27/2013 Hacking as Warfare 25

Gee, Thanks a Lot !

NEWS HEADLINE - eEye Digital Security unveils one of the largest security holes on the Internet to date Corona Del Mar, CA - eEye Digital Security Team, an eCompany LLC venture, dedicated to network security and custom network software development, has unveiled one of the most vulnerable security holes on the Internet to date. The vulnerability exists in the latest release of Microsoft Internet Information Server. The most commonly used Windows NT web server on the Internet. The vulnerability allows arbitrary code to be run on any web server running the latest release of Microsoft Internet Information Server. Utilizing a buffer overflow bug in the web server software, an attacker can remotely execute code to enable system level access to all data residing on the server. Less than a month later, the Code Red worm appeared; then a few weeks later came Code Red II, with a back door to allow others to gain control of the infected machine.
6/27/2013 Hacking as Warfare 26

http://www.eeye.com/html/press/PR19990608.html

Network Defenses
Firewalls, DMZ, air gap VPN, SSL encryption Intrusion Detection Systems, honeypots and burglar alarms, vulnerability scanners e-mail filters, SMIME encryption
Bastion Host - A strongly protected computer that is in a network protected by a firewall (or is part of a firewall) and is the only host (or one of only a few hosts) in the network that can be directly accessed from networks on the other side of the firewall. Filtering routers in a firewall typically restrict traffic from the outside network to reaching just one host, the bastion host, which usually is part of the firewall. Since only this one host can be directly attacked, only this one host needs to be very strongly protected, so security can be maintained more easily and less expensively. However, to allow legitimate internal and external users to access application resources through the firewall, higher layer protocols and services need to be relayed and forwarded by the bastion host. Some services (e.g., DNS and SMTP) have forwarding built in; other services (e.g., TELNET and FTP) require a proxy server on the bastion host.

http://www.linuxsecurity.com/dictionary/dict-42.html
6/27/2013 Hacking as Warfare 27

What Does a Firewall Do?

Define network components
Workstations, routers, networks, printers, etc. Insiders, Outsiders, Bad Guys

Typical Policy Rules

Stop Bad Guys (from Any Source , to Any Destination) Stop non-Insiders from getting Inside/Outside Allow Insiders to get Inside (other nets, resources, etc.) Allow Insiders to get Outside (I.e., on specific ports) Deny Everything Else

Reports, Alarms
Event logs, various levels of detail Notify if certain events occur

6/27/2013

Hacking as Warfare

28

Network Design Considerations

Support communications requirements Design Goals
Easy to use Inexpensive Reliable Fast Secure

Counter-Issues
Access Controls (passwords, permissions, etc.) Security Management (policy, maintenance, updates) Security Overhead (bandwidth, cycles, manpower)

6/27/2013

Hacking as Warfare

29

Basic Network Architecture

INTERNET

Security Policy?

DTE

Management Support?

router

firewall

filters

mail

www

dns

usage

Intranet 1
router firewall router

Intranet 2

6/27/2013

Hacking as Warfare

30

HACKER PSYCHOLOGY
Achievement
The Harder the Better The Bigger the Better How to be a Hacker
http://www.tuxedo.org/~esr/faqs/hacke r-howto.html

Fame
Recognition (Distrust) Respect (Fear)

Phrack http://www.phrack.com/ DarkCyde (for Phreakers)

http://www.f41th.com/

Surprise
Creativity

Money*
Corporations Governments

cDc
http://www.cultdeadcow.com/

*Note: Hackers dont make the Money their Thrill is in the Game!
6/27/2013 Hacking as Warfare 31

Lopht: We Can Cripple Internet in 30 minutes

WASHINGTON (AP) A Senate committee heard seven of the nation's top computer hackers claim Tuesday they could cripple the Internet in a half-hour. Given more time and money, they boasted, they could interrupt satellite transmissions or electricity grids and snoop on the president's movements. The seven, dressed in business suits, identified themselves only by their hacker nicknames Mudge, Space Rogue, Brian Oblivion "due to the sensitivity of their work," said Sen. Fred Thompson, R-Tenn. "I'm informed that you think that within 30 minutes the seven of you could make the Internet unusable for the entire nation. Is that correct?" asked Thompson. "That's correct," replied Mudge, a frizzyhaired computer security expert. "Actually, one of us, with just a few packets," he added, referring to bundles of data that flow across the global computer network. He went on to describe generally a process to separate "the different major long-haul providers," such as AT&T, so its network couldn't exchange information with other major networks, such as MCI. "It would definitely take a few days for people to figure out what is going on," Mudge said.
6/27/2013 Hacking as Warfare 32

Lopht: We Can Cripple Internet in 30 minutes

MANHASSET, N.Y., April 16 /PRNewswire/ - A group of Boston-based, sophisticated computer hackers, called the L0pht (pronounced 'loft'), is continuing the assault of Microsoft's (Nasdaq: MSFT) Windows NT operating system. The L0pht has made available for download, via their Web site, a program L0phtcrack they claim can be used to steal the entire registry of passwords off a Windows NT network, according to CMP Media's EE Times Online.
6/27/2013 Hacking as Warfare 33

Popular View of Hackers (also by Hackers)

6/27/2013

Hacking as Warfare

34