Hacking as Warfare - Tony Villasenor

7/28/2019 Hacking as Warfare - Tony Villasenor

1/34

6/27/2013 Hacking as Warfare 1

Hacking as Warfare

Tony VillasenorDirector of Technical Services

GeoTrust Inc.

Previous Posts: Director, NASA Science Internet

Chair, Federal Network Council (CERT, etc.)Architect: Russian Science InternetConsultant: USAID, DOS, WHO


2/34


Hacking as Warfare

TECHNOLOGY Network-based attack tools Network defense tools

PSYCHOLOGY Why do it?

CYBER TERRORISM Terrorist Terrorist sympathizers Targeted countries

IMPACT ON CITIZENS


3/34


Network Security Issues

Part 1 of 2

(A Playground for H ackers)


4/34


Network-Based Attacks

Bet ter A ccess ib i l i ty becaus e of the netwo rk Web sites

Email Servers File Servers DNS Servers Routers Etc.


5/34


Web Attacks

Buffer Overflow:- Occurs when a program does not check to make surethe data it is putting into a space will actually fit intothat space- A vulnerability exists in Microsoft IIS 5.0 running onWindows 2000 that allows a remote intruder to run

arbitrary code on the victim machine, allowing them togain complete administrative control of the machine- IIS %c1%1c bug (http://www.wiretrip.net/rfp/p/doc.asp?id=57)

Apache HTTP Server version 1.3.19- could allow a remote attacker to send an HTTPrequest to cause the server to crash with unexpected behavior.


6/34


Web Attacks

Semantic attacks changing the web content subtly, thus providingfalse information

Active-X , Java cookies containing executable code (likeBO2K)

Web Admin utilities

NAT d servers are less visible Static IP is bad! http://www.sans. org/newlook/resources/IDFAQ/DIC.htm FAQs http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html
http://www.sans.org/newlook/resources/IDFAQ/DIC.htmhttp://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.htmlhttp://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.htmlhttp://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.htmlhttp://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.htmlhttp://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.htmlhttp://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.htmlhttp://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.htmlhttp://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.htmlhttp://www.sans.org/newlook/resources/IDFAQ/DIC.htmhttp://www.sans.org/newlook/resources/IDFAQ/DIC.htm


7/34


Examples of Web Attacks

Cracking Session ID numbers https://www.tonybank.com/account.asp?sid=123456

78 URL session tracking Hidden form elements Cookies

Cracking a SQL database Enter an incorrect string to get an error message

which shows how the database forms a query. http://www.wiretrip.net/rfp/p/doc.asp?id=42
https://www.tonybank.com/account.asp?sid=12345678https://www.tonybank.com/account.asp?sid=12345678http://www.wiretrip.net/rfp/p/doc.asp?id=42http://www.wiretrip.net/rfp/p/doc.asp?id=42https://www.tonybank.com/account.asp?sid=12345678https://www.tonybank.com/account.asp?sid=12345678


8/34


Examples of Web Attacks (cont.) Loki

- Uses ICMP (ping) as a tunnel forcommunications and control- See Phrack Issue 49

Reverse WWW Shell

- Allows command-line access to machine via HTTPport- Requires inside job to install/run the ReverseWWW Shell server- Looks like ordinary HTTP traffic, allowed by

firewalls!Steganography & Digital Watermarking- Distribute MALware by embedding code in .bmp,.jpeg or .gif images


9/34


Security Mavens Invaded by Trojan (1 of 2)

by Michelle Delio10:35 a.m. Feb. 1, 2001 PST

A popular Web discussion board in which the subjectis computer security became the unwitting host of an attack program directed at security consultantfirm Network Associates Wednesday night.

A cracker posted to the Bugtraq board what he saidwas a script -- computer code that would allow

people to take advantage of a recently discoveredhole in BIND, the software that pushes informationacross the Internet.

http://www.wired.com/news/technology/0,1282,41563,00.html
http://www.wired.com/news/technology/0,1282,41563,00.htmlhttp://www.wired.com/news/technology/0,1282,41563,00.html


10/34


Security Mavens Invaded by Trojan (2 of 2)

But if someone downloaded and ran the posted script, it

instead launched a denial of service attack againstNetwork Associates (NAI) by sending packets of garbage information in the hopes of overwhelming thefirm's servers.

Since Network Associates had already patched the hole,its website's performance wasn't adversely affected."We have determined that a distributed denial of attackwas directed at NAI last night," an NAI spokeswomansaid, "but no penetration to the corporate network tookplace. We are continuing to investigate the origin of thisattack." NAI was the first to raise the alarm over theBIND exploit, and Bugtraq spokesperson Elias Levy saidhe assumes that the attack was intended to see if NAIhad practiced what they preached and patched the hole.


11/34


Information Security Magazine (Oct. 2001)

Survey Finds Web Server Attacks Doubled in 2001 By Amy NewmanOctober 10, 2001

IT and computer security magazine Information Security this week releasedthe findings of its 2001 Information Security Industry Survey. The surveywas co-sponsored by TruSecure Corp. (Information Security's parentcompany) and Predictive Systems.

Despite enterprises' claims of increased corporate spending on computersecurity, survey results revealed that cyber attacks and viruses havecontinued to impact organizations with alarming frequency.

http://www.infosecuritymag.com/articles/october01/images/survey.pdf


12/34


Information Security Magazine (Oct. 2001)Almost half of the more than 2,500 organizations surveyed were hit by aWeb server attack in 2001, nearly double the number hit in 2000.Viruses, worms, Trojans Horses, and other "malware" infected 90percent of these organizations, even with antivirus protection in place in88 percent of those surveyed."The survey proves just how pervasive and serious attacks like Code Redand Nimda are," said Andy Briney, editor in chief of InformationSecurity and lead analyst of the survey."Even 'security-aware' organizations are being attacked on all sides, bothinternally and externally, Briney added. One cure for those hit by both Code Red and Nimda may be migration toa Web server other than IIS. An advisory issued by Gartner last monthrecommended that enterprises hit by both Code Red and Nimda begininvestigating alternatives to the popular Microsoft product, such asmoving Web applications to less-vulnerable Web server products.


13/34


E-Mail Attacks Email bombing

repeatedly sending an identical email messageto a particular address.

http://www.cert.org/tech_tips/email_bombing

_spamming.html MALware Attachments:

worms, viruses, trojan horses, etc.

SPAM Unsolicited junk mail At sites with mailers that permit relaying
http://www.cert.org/tech_tips/email_bombing_spamming.htmlhttp://www.cert.org/tech_tips/email_bombing_spamming.htmlhttp://www.cert.org/tech_tips/email_bombing_spamming.htmlhttp://www.cert.org/tech_tips/email_bombing_spamming.html


14/34


E-Mail Attacks

RTF files are ASCII text files and includeembedded formatting commands. RTFfiles do not contain macros and cannot beinfected with a macro virus.

An MP3 file consists of highlycompressed audio tracks. MP3 files arenot programs, and viruses cannot infectthem.


15/34


SPAM Control

Scheck_rcpt

# anything terminating locally is ok R< $+ @ $=w > $@ OK

# anything originating locally is ok R$* $: $(dequote "" $&{client_name}

$)R$=w $@ OK R$@ $@ OK

# anything else is bogusR$* $#error $: "550 Relaying Denied"

Three rules for controlling SPAM; code is inserted in sendmail.cf file


16/34


Network Attacks DOS, DDoS: coordinated attack by one or multiple sources

SYN flooding: http://www.cert.org/advisories/CA-1996-21.html Aided by proliferation of DSL home users

DNS, BIND Redirection :the site you re on, is not really the site you think you re on ! Vulnerability in BIND to allow remote user to gain privileged access

Routers Change routing information to disable network Cisco s IOS proliferates the worldwide backbone of the Internet

Sniffers examine network traffic going to and from other machines gather usernames and passwords capture electronic mail
http://www.cert.org/advisories/CA-1996-21.htmlhttp://www.cert.org/advisories/CA-1996-21.htmlhttp://www.cert.org/advisories/CA-1996-21.htmlhttp://www.cert.org/advisories/CA-1996-21.htmlhttp://www.cert.org/advisories/CA-1996-21.htmlhttp://www.cert.org/advisories/CA-1996-21.html


17/34


Network Attacks (cont.)

Firewalls IDS, HoneyPots, SATAN, vulnerability scanners

http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm

Tripwire to detect configuration changes


18/34


Example: DOS

Denial-of-Service attacks are most frequently executed againstnetwork connectivity. The goal is to prevent hosts or networksfrom communicating over the network. A description of howthis can occur is at: http://www.cert.org/advisories/CA-1996-21.html

In this case, the hacker begins the process of connecting to thevictim machine, but in such a way as to PREVENT thecompletion of the connection. Since the victim machine has a

limited number of data structures for connections, the result isthat legitimate connections are denied while the victim machineis waiting to complete bogus half -open connections.

http://www.cert.org/tech_tips/denial_of_service.html
http://www.cert.org/advisories/CA-1996-21.htmlhttp://www.cert.org/advisories/CA-1996-21.htmlhttp://www.cert.org/advisories/CA-1996-21.htmlhttp://www.cert.org/advisories/CA-1996-21.htmlhttp://www.cert.org/advisories/CA-1996-21.htmlhttp://www.cert.org/advisories/CA-1996-21.htmlhttp://www.cert.org/advisories/CA-1996-21.html


19/34


Example: DOS (cont.) This type of attack does not depend on the attacker being able to

consume your network bandwidth. Here, the intruder is consuming

kernel data structures involved in establishing a network connection.The implication is that an intruder can execute this attack from justa dial-up connection against a machine on a very fast network.

An intruder may also be able to consume all the available bandwidthon your network by generating a large number of packets directed to

your network. Typically, these packets are ICMP ECHO packets,but in principle could be anything (smurfing). Further, theintruder need not be operating from a single machine he may beable to coordinate or co-opt several machines on different networksto achieve the same effect: hence, DDoS.

In addition to network bandwidth, intruders could consume otherresources: for example, anything that allows data to be written todisk can be used to execute a DOS attack if there are no bounds onthe amount of data that could be written.


20/34


Denial of Service Attacks

Make networks or hosts unusable Disrupt services Difficult or Impossible to locate source Becoming very popular with attackers, especially

IRC sites Controversial sites or services

Bottom Line: COSTLY!

http://www.cert.org/present/cert-overview-trends/sld001.htm


21/34


Back Orifice 2000

Ping and query the server Reboot or lock up the system List cached and screen saver passwords Display system information Log keystrokes, view the keystroke log and delete the keystroke log Display a message box Map a port to another IP address, application, HTTP file server, or

filename List ports mapped by BackOrifice 2000

Send a file through another port Share a drive, unshare a drive, list shared drives, list shared devices

on a LAN, mapped a shared device, unmap a shared device and listall connections

http://www.commandcom.com/virus/backorifice2000.html


22/34


Back Orifice 2000 (cont.)

List current processes, kill a process and start a process

View and edit the registry - create a key, set a value, get a value, deletea key, delete a value, rename a key, rename a value, enumerate keysand enumerate values

Video and audio capture and playback Capture a screen shot File and directory commands - list directory, find file, delete file, view

file, move file, rename file, copy file, make directory, remove directoryand set file attributes

Receive and send files Compress and uncompress files Resolve host name and address Server control - shutdown server, restart server, load plug-in, remove

plug-in and list plug-ins


23/34


Intruder Detection Checklist

Look for Signs That Your System May Have Been Compromised1. Examine log files2. Look for setuid and setgid Files3. Check system binaries4. Check for packet sniffers5. Examine files run by 'cron' and 'at'.6. Check for unauthorized services7. Examine /etc/passwd file

8. Check system and network configuration9. Look everywhere for unusual or hidden files

10. Examine all machines on the local network

http://www.cert.org/tech_tips/intruder_detection_checklist.html
http://www.cert.org/tech_tips/intruder_detection_checklist.htmlhttp://www.cert.org/tech_tips/intruder_detection_checklist.html


24/34


Other Attack Methods

Piggyback gain unauthorized access to a system via an

authorized user's legitimate connection. Redirects

The action used by some viruses to point acommand to a different location. Often thisdifferent location is the address of the virusand not the original file or application


25/34


26/34


Gee, Thanks a Lot !http://www.eeye.com/html/press/PR19990608.html

NEWS HEADLINE - eEye Digital Security unveils one of thelargest security holes on the Internet to date Corona Del Mar, CA - eEye Digital Security Team, an eCompanyLLC venture, dedicated to network security and custom networksoftware development, has unveiled one of the most vulnerablesecurity holes on the Internet to date. The vulnerability exists in the

latest release of Microsoft Internet Information Server. The mostcommonly used Windows NT web server on the Internet. The vulnerability allows arbitrary code to be run on any web server running the latest release of Microsoft Internet Information Server.Utilizing a buffer overflow bug in the web server software, anattacker can remotely execute code to enable system level accessto all data residing on the server.

L ess than a month later, the Code Red worm appeared; then a few weeks later came Code Red I I , with a back door to allow others to gain control of the infected machine.
http://www.eeye.com/html/press/PR19990608.htmlhttp://www.eeye.com/html/press/PR19990608.html


27/34


Network Defenses Firewalls, DMZ, air gap VPN, SSL encryption

Intrusion Detection Systems, honeypots and burglar alarms, vulnerability scanners e-mail filters, SMIME encryption

Bastion Host - A strongly protected computer that is in a network protected by a firewall

(or is part of a firewall) and is the only host (or one of only a few hosts) in the network thatcan be directly accessed from networks on the other side of the firewall. Filtering routersin a firewall typically restrict traffic from the outside network to reaching just one host,the bastion host, which usually is part of the firewall. Since only this one host can bedirectly attacked, only this one host needs to be very strongly protected, so security can bemaintained more easily and less expensively. However, to allow legitimate internal andexternal users to access application resources through the firewall, higher layer protocols

and services need to be relayed and forwarded by the bastion host. Some services (e.g.,DNS and SMTP) have forwarding built in; other services (e.g., TELNET and FTP) requirea proxy server on the bastion host.

http://www.linuxsecurity.com/dictionary/dict-42.html


28/34


What Does a Firewall Do?

Define network components Workstations, routers, networks, printers, etc. Insiders, Outsiders, Bad Guys

Typical Policy Rules Stop Bad Guys (from Any Source , to Any

Destination) Stop non-Insiders from getting Inside/Outside Allow Insiders to get Inside (other nets, resources, etc.) Allow Insiders to get Outside (I.e., on specific ports) Deny Everything Else

Reports, Alarms Event logs, various levels of detail Notify if certain events occur


29/34


30/34


Basic Network Architecture

DTE

router

firewall

w w w d n sm a i l usagefilters

firewall router router

Intranet 1 Intranet 2

INTERNET

Security Policy?

Management Support?


31/34


HACKER PSYCHOLOGY

Achievement The Harder the Better The Bigger the Better

Fame Recognition (Distrust)

Respect (Fear) Surprise

Creativity Money*

Corporations Governments

How to be a Hackerhttp://www.tuxedo.org/~esr/faqs/hacker-howto.html

Phrack http://www.phrack.com/

DarkCyde (for Phreakers)http://www.f41th.com/

cDchttp://www.cultdeadcow.com/

*Note: Hackers dont make the Money their Thr i ll is in the Game!
http://www.tuxedo.org/~esr/faqs/hacker-howto.htmlhttp://www.tuxedo.org/~esr/faqs/hacker-howto.htmlhttp://www.phrack.com/http://www.f41th.com/http://www.cultdeadcow.com/http://www.cultdeadcow.com/http://www.f41th.com/http://www.phrack.com/http://www.tuxedo.org/~esr/faqs/hacker-howto.htmlhttp://www.tuxedo.org/~esr/faqs/hacker-howto.htmlhttp://www.tuxedo.org/~esr/faqs/hacker-howto.htmlhttp://www.tuxedo.org/~esr/faqs/hacker-howto.html


32/34


Lopht: We Can Cripple Internet in 30 minutes

WASHINGTON (AP) A Senate committee heard seven of the nation'stop computer hackers claim Tuesday they could cripple the Internet in ahalf-hour. Given more time and money, they boasted, they couldinterrupt satellite transmissions or electricity grids and snoop on thepresident's movements. The seven, dressed in business suits, identifiedthemselves only by their hacker nicknames Mudge, Space Rogue, BrianOblivion "due to the sensitivity of their work," said Sen. FredThompson, R-Tenn.

"I'm informed that you think that within 30 minutes the sevenof you could make the Internet unusable for the entire nation. Is thatcorrect?" asked Thompson. "That's correct," replied Mudge, a frizzy-haired computer security expert. "Actually, one of us, with just a fewpackets," he added, referring to bundles of data that flow across the

global computer network. He went on to describe generally a process toseparate "the different major long-haul providers," such as AT&T, soits network couldn't exchange information with other major networks,such as MCI. "It would definitely take a few days for people to figureout what is going on," Mudge said.


33/34


Lopht: We Can Cripple Internet in 30 minutes

MANHASSET, N.Y., April 16 /PRNewswire/- A group of Boston-based, sophisticatedcomputer hackers, called the L0pht(pronounced 'loft'), is continuing the assaultof Microsoft's (Nasdaq: MSFT) WindowsNT operating system. The L0pht has madeavailable for download, via their Web site, aprogram L0phtcrack they claim can be

used to steal the entire registry of passwordsoff a Windows NT network, according toCMP Media's EE Times Online.


34/34


Popular View of Hackers ( also by Hackers )

Hacking as Warfare - Tony Villasenor

Documents

Transcript of Hacking as Warfare - Tony Villasenor