Hacking as Warfare - Tony Villasenor
-
Upload
elliott-carlson -
Category
Documents
-
view
221 -
download
0
Transcript of Hacking as Warfare - Tony Villasenor
-
7/28/2019 Hacking as Warfare - Tony Villasenor
1/34
6/27/2013 Hacking as Warfare 1
Hacking as Warfare
Tony VillasenorDirector of Technical Services
GeoTrust Inc.
Previous Posts: Director, NASA Science Internet
Chair, Federal Network Council (CERT, etc.)Architect: Russian Science InternetConsultant: USAID, DOS, WHO
-
7/28/2019 Hacking as Warfare - Tony Villasenor
2/34
6/27/2013 Hacking as Warfare 2
Hacking as Warfare
TECHNOLOGY Network-based attack tools Network defense tools
PSYCHOLOGY Why do it?
CYBER TERRORISM Terrorist Terrorist sympathizers Targeted countries
IMPACT ON CITIZENS
-
7/28/2019 Hacking as Warfare - Tony Villasenor
3/34
6/27/2013 Hacking as Warfare 3
Network Security Issues
Part 1 of 2
(A Playground for H ackers)
-
7/28/2019 Hacking as Warfare - Tony Villasenor
4/34
6/27/2013 Hacking as Warfare 4
Network-Based Attacks
Bet ter A ccess ib i l i ty becaus e of the netwo rk Web sites
Email Servers File Servers DNS Servers Routers Etc.
-
7/28/2019 Hacking as Warfare - Tony Villasenor
5/34
6/27/2013 Hacking as Warfare 5
Web Attacks
Buffer Overflow:- Occurs when a program does not check to make surethe data it is putting into a space will actually fit intothat space- A vulnerability exists in Microsoft IIS 5.0 running onWindows 2000 that allows a remote intruder to run
arbitrary code on the victim machine, allowing them togain complete administrative control of the machine- IIS %c1%1c bug (http://www.wiretrip.net/rfp/p/doc.asp?id=57)
Apache HTTP Server version 1.3.19- could allow a remote attacker to send an HTTPrequest to cause the server to crash with unexpected behavior.
-
7/28/2019 Hacking as Warfare - Tony Villasenor
6/34
6/27/2013 Hacking as Warfare 6
Web Attacks
Semantic attacks changing the web content subtly, thus providingfalse information
Active-X , Java cookies containing executable code (likeBO2K)
Web Admin utilities
NAT d servers are less visible Static IP is bad! http://www.sans. org/newlook/resources/IDFAQ/DIC.htm FAQs http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html
http://www.sans.org/newlook/resources/IDFAQ/DIC.htmhttp://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.htmlhttp://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.htmlhttp://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.htmlhttp://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.htmlhttp://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.htmlhttp://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.htmlhttp://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.htmlhttp://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.htmlhttp://www.sans.org/newlook/resources/IDFAQ/DIC.htmhttp://www.sans.org/newlook/resources/IDFAQ/DIC.htm -
7/28/2019 Hacking as Warfare - Tony Villasenor
7/34
6/27/2013 Hacking as Warfare 7
Examples of Web Attacks
Cracking Session ID numbers https://www.tonybank.com/account.asp?sid=123456
78 URL session tracking Hidden form elements Cookies
Cracking a SQL database Enter an incorrect string to get an error message
which shows how the database forms a query. http://www.wiretrip.net/rfp/p/doc.asp?id=42
https://www.tonybank.com/account.asp?sid=12345678https://www.tonybank.com/account.asp?sid=12345678http://www.wiretrip.net/rfp/p/doc.asp?id=42http://www.wiretrip.net/rfp/p/doc.asp?id=42https://www.tonybank.com/account.asp?sid=12345678https://www.tonybank.com/account.asp?sid=12345678 -
7/28/2019 Hacking as Warfare - Tony Villasenor
8/34
6/27/2013 Hacking as Warfare 8
Examples of Web Attacks (cont.) Loki
- Uses ICMP (ping) as a tunnel forcommunications and control- See Phrack Issue 49
Reverse WWW Shell
- Allows command-line access to machine via HTTPport- Requires inside job to install/run the ReverseWWW Shell server- Looks like ordinary HTTP traffic, allowed by
firewalls!Steganography & Digital Watermarking- Distribute MALware by embedding code in .bmp,.jpeg or .gif images
-
7/28/2019 Hacking as Warfare - Tony Villasenor
9/34
6/27/2013 Hacking as Warfare 9
Security Mavens Invaded by Trojan (1 of 2)
by Michelle Delio10:35 a.m. Feb. 1, 2001 PST
A popular Web discussion board in which the subjectis computer security became the unwitting host of an attack program directed at security consultantfirm Network Associates Wednesday night.
A cracker posted to the Bugtraq board what he saidwas a script -- computer code that would allow
people to take advantage of a recently discoveredhole in BIND, the software that pushes informationacross the Internet.
http://www.wired.com/news/technology/0,1282,41563,00.html
http://www.wired.com/news/technology/0,1282,41563,00.htmlhttp://www.wired.com/news/technology/0,1282,41563,00.html -
7/28/2019 Hacking as Warfare - Tony Villasenor
10/34
6/27/2013 Hacking as Warfare 10
Security Mavens Invaded by Trojan (2 of 2)
But if someone downloaded and ran the posted script, it
instead launched a denial of service attack againstNetwork Associates (NAI) by sending packets of garbage information in the hopes of overwhelming thefirm's servers.
Since Network Associates had already patched the hole,its website's performance wasn't adversely affected."We have determined that a distributed denial of attackwas directed at NAI last night," an NAI spokeswomansaid, "but no penetration to the corporate network tookplace. We are continuing to investigate the origin of thisattack." NAI was the first to raise the alarm over theBIND exploit, and Bugtraq spokesperson Elias Levy saidhe assumes that the attack was intended to see if NAIhad practiced what they preached and patched the hole.
-
7/28/2019 Hacking as Warfare - Tony Villasenor
11/34
6/27/2013 Hacking as Warfare 11
Information Security Magazine (Oct. 2001)
Survey Finds Web Server Attacks Doubled in 2001 By Amy NewmanOctober 10, 2001
IT and computer security magazine Information Security this week releasedthe findings of its 2001 Information Security Industry Survey. The surveywas co-sponsored by TruSecure Corp. (Information Security's parentcompany) and Predictive Systems.
Despite enterprises' claims of increased corporate spending on computersecurity, survey results revealed that cyber attacks and viruses havecontinued to impact organizations with alarming frequency.
http://www.infosecuritymag.com/articles/october01/images/survey.pdf
-
7/28/2019 Hacking as Warfare - Tony Villasenor
12/34
6/27/2013 Hacking as Warfare 12
Information Security Magazine (Oct. 2001)Almost half of the more than 2,500 organizations surveyed were hit by aWeb server attack in 2001, nearly double the number hit in 2000.Viruses, worms, Trojans Horses, and other "malware" infected 90percent of these organizations, even with antivirus protection in place in88 percent of those surveyed."The survey proves just how pervasive and serious attacks like Code Redand Nimda are," said Andy Briney, editor in chief of InformationSecurity and lead analyst of the survey."Even 'security-aware' organizations are being attacked on all sides, bothinternally and externally, Briney added. One cure for those hit by both Code Red and Nimda may be migration toa Web server other than IIS. An advisory issued by Gartner last monthrecommended that enterprises hit by both Code Red and Nimda begininvestigating alternatives to the popular Microsoft product, such asmoving Web applications to less-vulnerable Web server products.
-
7/28/2019 Hacking as Warfare - Tony Villasenor
13/34
6/27/2013 Hacking as Warfare 13
E-Mail Attacks Email bombing
repeatedly sending an identical email messageto a particular address.
http://www.cert.org/tech_tips/email_bombing
_spamming.html MALware Attachments:
worms, viruses, trojan horses, etc.
SPAM Unsolicited junk mail At sites with mailers that permit relaying
http://www.cert.org/tech_tips/email_bombing_spamming.htmlhttp://www.cert.org/tech_tips/email_bombing_spamming.htmlhttp://www.cert.org/tech_tips/email_bombing_spamming.htmlhttp://www.cert.org/tech_tips/email_bombing_spamming.html -
7/28/2019 Hacking as Warfare - Tony Villasenor
14/34
6/27/2013 Hacking as Warfare 14
E-Mail Attacks
RTF files are ASCII text files and includeembedded formatting commands. RTFfiles do not contain macros and cannot beinfected with a macro virus.
An MP3 file consists of highlycompressed audio tracks. MP3 files arenot programs, and viruses cannot infectthem.
-
7/28/2019 Hacking as Warfare - Tony Villasenor
15/34
6/27/2013 Hacking as Warfare 15
SPAM Control
Scheck_rcpt
# anything terminating locally is ok R< $+ @ $=w > $@ OK
# anything originating locally is ok R$* $: $(dequote "" $&{client_name}
$)R$=w $@ OK R$@ $@ OK
# anything else is bogusR$* $#error $: "550 Relaying Denied"
Three rules for controlling SPAM; code is inserted in sendmail.cf file
-
7/28/2019 Hacking as Warfare - Tony Villasenor
16/34
6/27/2013 Hacking as Warfare 16
Network Attacks DOS, DDoS: coordinated attack by one or multiple sources
SYN flooding: http://www.cert.org/advisories/CA-1996-21.html Aided by proliferation of DSL home users
DNS, BIND Redirection :the site you re on, is not really the site you think you re on ! Vulnerability in BIND to allow remote user to gain privileged access
Routers Change routing information to disable network Cisco s IOS proliferates the worldwide backbone of the Internet
Sniffers examine network traffic going to and from other machines gather usernames and passwords capture electronic mail
http://www.cert.org/advisories/CA-1996-21.htmlhttp://www.cert.org/advisories/CA-1996-21.htmlhttp://www.cert.org/advisories/CA-1996-21.htmlhttp://www.cert.org/advisories/CA-1996-21.htmlhttp://www.cert.org/advisories/CA-1996-21.htmlhttp://www.cert.org/advisories/CA-1996-21.html -
7/28/2019 Hacking as Warfare - Tony Villasenor
17/34
6/27/2013 Hacking as Warfare 17
Network Attacks (cont.)
Firewalls IDS, HoneyPots, SATAN, vulnerability scanners
http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm
Tripwire to detect configuration changes
-
7/28/2019 Hacking as Warfare - Tony Villasenor
18/34
6/27/2013 Hacking as Warfare 18
Example: DOS
Denial-of-Service attacks are most frequently executed againstnetwork connectivity. The goal is to prevent hosts or networksfrom communicating over the network. A description of howthis can occur is at: http://www.cert.org/advisories/CA-1996-21.html
In this case, the hacker begins the process of connecting to thevictim machine, but in such a way as to PREVENT thecompletion of the connection. Since the victim machine has a
limited number of data structures for connections, the result isthat legitimate connections are denied while the victim machineis waiting to complete bogus half -open connections.
http://www.cert.org/tech_tips/denial_of_service.html
http://www.cert.org/advisories/CA-1996-21.htmlhttp://www.cert.org/advisories/CA-1996-21.htmlhttp://www.cert.org/advisories/CA-1996-21.htmlhttp://www.cert.org/advisories/CA-1996-21.htmlhttp://www.cert.org/advisories/CA-1996-21.htmlhttp://www.cert.org/advisories/CA-1996-21.htmlhttp://www.cert.org/advisories/CA-1996-21.html -
7/28/2019 Hacking as Warfare - Tony Villasenor
19/34
6/27/2013 Hacking as Warfare 19
Example: DOS (cont.) This type of attack does not depend on the attacker being able to
consume your network bandwidth. Here, the intruder is consuming
kernel data structures involved in establishing a network connection.The implication is that an intruder can execute this attack from justa dial-up connection against a machine on a very fast network.
An intruder may also be able to consume all the available bandwidthon your network by generating a large number of packets directed to
your network. Typically, these packets are ICMP ECHO packets,but in principle could be anything (smurfing). Further, theintruder need not be operating from a single machine he may beable to coordinate or co-opt several machines on different networksto achieve the same effect: hence, DDoS.
In addition to network bandwidth, intruders could consume otherresources: for example, anything that allows data to be written todisk can be used to execute a DOS attack if there are no bounds onthe amount of data that could be written.
-
7/28/2019 Hacking as Warfare - Tony Villasenor
20/34
6/27/2013 Hacking as Warfare 20
Denial of Service Attacks
Make networks or hosts unusable Disrupt services Difficult or Impossible to locate source Becoming very popular with attackers, especially
IRC sites Controversial sites or services
Bottom Line: COSTLY!
http://www.cert.org/present/cert-overview-trends/sld001.htm
-
7/28/2019 Hacking as Warfare - Tony Villasenor
21/34
6/27/2013 Hacking as Warfare 21
Back Orifice 2000
Ping and query the server Reboot or lock up the system List cached and screen saver passwords Display system information Log keystrokes, view the keystroke log and delete the keystroke log Display a message box Map a port to another IP address, application, HTTP file server, or
filename List ports mapped by BackOrifice 2000
Send a file through another port Share a drive, unshare a drive, list shared drives, list shared devices
on a LAN, mapped a shared device, unmap a shared device and listall connections
http://www.commandcom.com/virus/backorifice2000.html
-
7/28/2019 Hacking as Warfare - Tony Villasenor
22/34
6/27/2013 Hacking as Warfare 22
Back Orifice 2000 (cont.)
List current processes, kill a process and start a process
View and edit the registry - create a key, set a value, get a value, deletea key, delete a value, rename a key, rename a value, enumerate keysand enumerate values
Video and audio capture and playback Capture a screen shot File and directory commands - list directory, find file, delete file, view
file, move file, rename file, copy file, make directory, remove directoryand set file attributes
Receive and send files Compress and uncompress files Resolve host name and address Server control - shutdown server, restart server, load plug-in, remove
plug-in and list plug-ins
-
7/28/2019 Hacking as Warfare - Tony Villasenor
23/34
6/27/2013 Hacking as Warfare 23
Intruder Detection Checklist
Look for Signs That Your System May Have Been Compromised1. Examine log files2. Look for setuid and setgid Files3. Check system binaries4. Check for packet sniffers5. Examine files run by 'cron' and 'at'.6. Check for unauthorized services7. Examine /etc/passwd file
8. Check system and network configuration9. Look everywhere for unusual or hidden files
10. Examine all machines on the local network
http://www.cert.org/tech_tips/intruder_detection_checklist.html
http://www.cert.org/tech_tips/intruder_detection_checklist.htmlhttp://www.cert.org/tech_tips/intruder_detection_checklist.html -
7/28/2019 Hacking as Warfare - Tony Villasenor
24/34
6/27/2013 Hacking as Warfare 24
Other Attack Methods
Piggyback gain unauthorized access to a system via an
authorized user's legitimate connection. Redirects
The action used by some viruses to point acommand to a different location. Often thisdifferent location is the address of the virusand not the original file or application
-
7/28/2019 Hacking as Warfare - Tony Villasenor
25/34
-
7/28/2019 Hacking as Warfare - Tony Villasenor
26/34
6/27/2013 Hacking as Warfare 26
Gee, Thanks a Lot !http://www.eeye.com/html/press/PR19990608.html
NEWS HEADLINE - eEye Digital Security unveils one of thelargest security holes on the Internet to date Corona Del Mar, CA - eEye Digital Security Team, an eCompanyLLC venture, dedicated to network security and custom networksoftware development, has unveiled one of the most vulnerablesecurity holes on the Internet to date. The vulnerability exists in the
latest release of Microsoft Internet Information Server. The mostcommonly used Windows NT web server on the Internet. The vulnerability allows arbitrary code to be run on any web server running the latest release of Microsoft Internet Information Server.Utilizing a buffer overflow bug in the web server software, anattacker can remotely execute code to enable system level accessto all data residing on the server.
L ess than a month later, the Code Red worm appeared; then a few weeks later came Code Red I I , with a back door to allow others to gain control of the infected machine.
http://www.eeye.com/html/press/PR19990608.htmlhttp://www.eeye.com/html/press/PR19990608.html -
7/28/2019 Hacking as Warfare - Tony Villasenor
27/34
6/27/2013 Hacking as Warfare 27
Network Defenses Firewalls, DMZ, air gap VPN, SSL encryption
Intrusion Detection Systems, honeypots and burglar alarms, vulnerability scanners e-mail filters, SMIME encryption
Bastion Host - A strongly protected computer that is in a network protected by a firewall
(or is part of a firewall) and is the only host (or one of only a few hosts) in the network thatcan be directly accessed from networks on the other side of the firewall. Filtering routersin a firewall typically restrict traffic from the outside network to reaching just one host,the bastion host, which usually is part of the firewall. Since only this one host can bedirectly attacked, only this one host needs to be very strongly protected, so security can bemaintained more easily and less expensively. However, to allow legitimate internal andexternal users to access application resources through the firewall, higher layer protocols
and services need to be relayed and forwarded by the bastion host. Some services (e.g.,DNS and SMTP) have forwarding built in; other services (e.g., TELNET and FTP) requirea proxy server on the bastion host.
http://www.linuxsecurity.com/dictionary/dict-42.html
-
7/28/2019 Hacking as Warfare - Tony Villasenor
28/34
6/27/2013 Hacking as Warfare 28
What Does a Firewall Do?
Define network components Workstations, routers, networks, printers, etc. Insiders, Outsiders, Bad Guys
Typical Policy Rules Stop Bad Guys (from Any Source , to Any
Destination) Stop non-Insiders from getting Inside/Outside Allow Insiders to get Inside (other nets, resources, etc.) Allow Insiders to get Outside (I.e., on specific ports) Deny Everything Else
Reports, Alarms Event logs, various levels of detail Notify if certain events occur
-
7/28/2019 Hacking as Warfare - Tony Villasenor
29/34
-
7/28/2019 Hacking as Warfare - Tony Villasenor
30/34
6/27/2013 Hacking as Warfare 30
Basic Network Architecture
DTE
router
firewall
w w w d n sm a i l usagefilters
firewall router router
Intranet 1 Intranet 2
INTERNET
Security Policy?
Management Support?
-
7/28/2019 Hacking as Warfare - Tony Villasenor
31/34
6/27/2013 Hacking as Warfare 31
HACKER PSYCHOLOGY
Achievement The Harder the Better The Bigger the Better
Fame Recognition (Distrust)
Respect (Fear) Surprise
Creativity Money*
Corporations Governments
How to be a Hackerhttp://www.tuxedo.org/~esr/faqs/hacker-howto.html
Phrack http://www.phrack.com/
DarkCyde (for Phreakers)http://www.f41th.com/
cDchttp://www.cultdeadcow.com/
*Note: Hackers dont make the Money their Thr i ll is in the Game!
http://www.tuxedo.org/~esr/faqs/hacker-howto.htmlhttp://www.tuxedo.org/~esr/faqs/hacker-howto.htmlhttp://www.phrack.com/http://www.f41th.com/http://www.cultdeadcow.com/http://www.cultdeadcow.com/http://www.f41th.com/http://www.phrack.com/http://www.tuxedo.org/~esr/faqs/hacker-howto.htmlhttp://www.tuxedo.org/~esr/faqs/hacker-howto.htmlhttp://www.tuxedo.org/~esr/faqs/hacker-howto.htmlhttp://www.tuxedo.org/~esr/faqs/hacker-howto.html -
7/28/2019 Hacking as Warfare - Tony Villasenor
32/34
6/27/2013 Hacking as Warfare 32
Lopht: We Can Cripple Internet in 30 minutes
WASHINGTON (AP) A Senate committee heard seven of the nation'stop computer hackers claim Tuesday they could cripple the Internet in ahalf-hour. Given more time and money, they boasted, they couldinterrupt satellite transmissions or electricity grids and snoop on thepresident's movements. The seven, dressed in business suits, identifiedthemselves only by their hacker nicknames Mudge, Space Rogue, BrianOblivion "due to the sensitivity of their work," said Sen. FredThompson, R-Tenn.
"I'm informed that you think that within 30 minutes the sevenof you could make the Internet unusable for the entire nation. Is thatcorrect?" asked Thompson. "That's correct," replied Mudge, a frizzy-haired computer security expert. "Actually, one of us, with just a fewpackets," he added, referring to bundles of data that flow across the
global computer network. He went on to describe generally a process toseparate "the different major long-haul providers," such as AT&T, soits network couldn't exchange information with other major networks,such as MCI. "It would definitely take a few days for people to figureout what is going on," Mudge said.
-
7/28/2019 Hacking as Warfare - Tony Villasenor
33/34
6/27/2013 Hacking as Warfare 33
Lopht: We Can Cripple Internet in 30 minutes
MANHASSET, N.Y., April 16 /PRNewswire/- A group of Boston-based, sophisticatedcomputer hackers, called the L0pht(pronounced 'loft'), is continuing the assaultof Microsoft's (Nasdaq: MSFT) WindowsNT operating system. The L0pht has madeavailable for download, via their Web site, aprogram L0phtcrack they claim can be
used to steal the entire registry of passwordsoff a Windows NT network, according toCMP Media's EE Times Online.
-
7/28/2019 Hacking as Warfare - Tony Villasenor
34/34
6/27/2013 Hacking as Warfare 34
Popular View of Hackers ( also by Hackers )