INTERNETWORKING SECURITY

1
INTERNETWORKING SECURITY

• Guest Lecture By.
• Mr. PRAVIN SHETTY

2
Authentication means

• to establish proof of identity.
• We will look at these three methods of
  authentication for communication on internetwork.
• user-to-host
• host-to-host
• user-to-user

3
Authentication is done by

• by something you are (SYA)

4
Authentication(and Unix Password Security)

• by something you know (SYK)
• by something you have (SYH)

5
Authentication

• SYA authentication applies to humans.
• e.g. biometrics techniques that measure
  biological characteristics or physical phenomena
  (e.g. finger print and hand print analysis,
  retinal scans, voice, handwriting recognition,
  etc).

6
Authentication

• SYK is the most commonly used end-user
  authentication.
• e.g user name and password.
• Can also be applied to programs that exchange
  the data over the network without human
  intervention.
• The strength of SYK authentication depends on
  whether what is known is a secret, and can be
  kept as a secret.

7
Authentication

• In and of itself, SYH is the least way to
  authenticate.
• The mere possession of an object that can be
  borrowed, stolen, or duplicated is a poor way to
  identify its holder.
• Strength of SYH in greatly improved when combined
  with SYK.

8
User-to-Host authentication

• Typical methods are
• static passwords
• one-time passwords
• trusted third parties

9
Static passwords

• Most ubiquitous authentication scheme employed on
  the internet today
• A user chosen or assigned something that only
  the user should know.
• It is an example of SYK
• An example /etc/passwd where the derivative of
  the password of the users is stored.
• refer to the Unix encrypted password system

10
Static passwords - problems

• A password guesser (also known as cracker) can be
  used to guess some of the passwords even the
  passwords (or its derivatives) are stored in
  encrypted form.
• The passwords can be guessed because of their
  poor choice
• such as password is same as the user name or the
  actual user name, or the popular words in the
  dictionary, etc.
• How the cracker programs work?

11
Cracker principle

• / single password cracker user name is
  pravin and password is pravin scan the
  password file for the same user name and
  password/include include
  int main(int argc, char argv)
  struct passwd pw while (pwgetpwent()
  )
• char crypt() char
  result result crypt(pw-pw_name,
  pw-pw_passwd) if (!strcmp(result,
  pw-pw_passwd) ) printf
  (s has the same password \n, pw-pw_name)
  exit(0)

12
Educating users

• Never use a portion or variation of your account
  name or another account name.
• Never use a portion of variation of your real
  name, office or home address, or phone number.
• Never use words or variations of words found in
  any dictionary, especially /usr/dict words.
• Never use pairings of short words found in any
  dictionary (dogcat)
• Never use dictionary words or names spelled
  backward (like terces)
• Never use syllables or words from a foreign
  language.
• Never use repeated character string (like
  AAAABBBB, LLOOVVEE)
• Never use passwords containing only numeric
  digits.
• Always use passwords at least seven characters
  long. Many Unix versions use only 8 characters
  while some new ones may permit 16 or more
  characters.
• Always use a mixture of upper- and lowercase
  characters. This is especially valuable rule.
• Always use at least one or two non-alphanumeric
  characters, like numeric digits, punctuation
  marks, dollar sign, carat, etc.All these leads
  a large number of combinations which may take the
  cracker program long enough to crack.

13
Preventing unsecure passwords

• Accounts without passwords
• Managing dormant accounts
• Not allowing passwords that is similar to the
  user names, derivates or words in /usr/dict or
  insisting the password to contain at least one
  non-alphabet character (npasswd program on Linux
  has this feature).
• Shadow password and password aging.

14
Shadow password

• Shadow passwords are hidden in shadow, a file
  that is readable only by the super user.
• typically it is /etc/shadow, readable by root.
• When the shadow password is implemented, then a
  or x is placed in the password field of the
  /etc/passwd file.
• In Unix, password is used to encrypt a string of
  64 bit zeros using the crypt() function,
  typically 25 times. The final encrypted 64 bits
  are unpacked into a string of 11 printable
  characters that are stored in the /etc/passwd or
  /etc/shadow file.

15
Adding salt to the password

• Although the source code of crypt() is readily
  available, no technique has been discovered to
  translate the encrypted password back into the
  original password.
• Only possible attack is via a brute-force attack
  or by a dictionary attack.
• The previous method can allow the attacker to
  store the pre-encrypted version of the dictionary
  words and matching it against the passwords
  stored in the /etc/passwd file.
• To over come this problem add a salt to the
  password.

16
How adding salt works?

• When you change the password, the /bin/passwd
  program selects a salt based on the time of the
  day.
• The salt is converted into a two-character string
  (12 bits in fact) and is stored in the
  /etc/passwd file along with the encrypted
  password
• The encryption of the string of 64 bits of zeros
  is done by the string which is the concatenation
  of the salt and the user supplied password
  string!
• Having salt means that the same password can
  encrypt in 4096 different ways! and this makes it
  much harder for the attacker to build a reverse
  dictionary for translated encrypted passwords.

17
Password aging

• Forces the user to change the password regularly.
• when the allotted lifetime of a password
  expires, at the next login the user must change
  it, or denied access to the shell (in unix).
• smit is the tool that allows the configuration of
  the password aging.
• Another strategy of aging is password history.
• User is prevented from using one of the earlier
  used passwords.

18
Static passwords with one-way hash

• When clear text password is passed though a
  communication channel, it can be snooped.
• Using a challenge-response scheme, it is possible
  for a host to verify a user who knows the
  password without requiring the user sending the
  password through the communication channel.
• The challenge (or the answer) string is
  concatenated with the password and a one-way
  hash of this string is sent to the server for
  validation.

19
Challenge-and-response protocol
K
K
Alice
Bob
I am Alice.
A random x (challenge)
yE(K,x)
y (response)
zE(K,x) Accept if yz.
20
One-time passwords

• S/keySecret Key due to Leslie Lamport and
  implemented by Phil Karn in Unix.
• Handheld authenticators.
• Smart cards

21
One-time passwords

• As the name implies a password is used only once.
  Typically password is generated by applying
  repeatedly MD5 algorithm on a secret password.
• Let p the password and f is the one-way MD5
  function. Initially let n9, then the first time
  password transmitted for verification will be
  f9(p) and next time it will be f 8(p) and so on.

22
Handheld Authenticators

• They are handheld password generators or token
  and belongs to the category of SYH
  authentication.
• Similar to challenge-response scheme, where the
  host issues a challenge string that the user keys
  into the authenticator. The response appears on
  the authenticators display, which the user then
  sends it to the host.

23
Trusted third parties
HOST
HOST
User
KDC (key distribution Centre)
User
User
HOST
HOST
User
24
Advanced authentication

• Kerberos (by MIT)
• KriptoKnight (by IBM)
• SPX (by DEC)
• Lotus Notes
• DCE
• Microsoft
• ......

25
Host-to-host authentication

• IP address/name authentication can be
  considered as no authentication
• Digital signatures (such as MD5) and encryption
  can be used to authenticate the identity of the
  sender.

26

• HACKERS
• - The Modern Roadwarrior-

27
THE CHANGING WORLD

• General Powell describes an historic meeting with
  Gorbachev, who was becoming frustrated in trying
  to explain how the old model of the world was
  unworkable. He finally leaned across the table to
  Secretary Schultz and said." You need to
  understand, Secretary Schultz today I am ending
  the cold war." He then turned to Powell and
  said," General, you will have to find another
  enemy."

28
THE CHANGING WORLD

• The bipolar world of the last half century has
  become a multipolar economy dominated by the
  United States, Europe and the Pacific Rim.
• - Economic competition has replaced military
  competition.
• - Information and economic value have become
  synonymous.
• - Personal and economic interests have merged
  with national interests.
• The new economy is based upon information
  technology that is fast leading to an age of
  networked intelligence (the network is the
  computer) that is leading to a new society with
  new politics.
• The world is on the doorstep of a digital economy
  fueled by information and knowledge. (Information
  is Power)

29
Hackers - An Academic View -
30
Hacker History

• The original generation of Hackers has been said
  to be such personalities as John Von Neuman,
  Alan Turing and Grace Hopper.
• The first use of the term "Hacker" is attributed
  to member of the "Tech Model Railroad Club" from
  MIT in the late 1950s.
• This was originally a term of praise for the
  very best programmers and designers.
• Media coverage in the 1980s redefined the term
  to be synonymous with "Computer Criminal".
• The visibility and rise of Hackers is the result
  of four major developments
• 1. The proliferation of computers
• 2. The dramatic rise and geographical expansion
  of networks.
• 3. The dramatic rise in computer literacy.
• 4. The dependence of organizations upon
  information.

31
My personal belief

• Computers are tools for the masses. Computers
  should not be private devices for the rich.
• Computers are tools for the masses. Computers
  should not be private devices for the rich.
• Information belongs to everyone. Most hackers
  start at the university which generates and
  distributes knowledge.
• Coding is community property. The status of all
  software should be shareware, freeware or public
  domain.
• Coding is an art. A good program has a certain
  elegance and beauty. In beauty there is
  creativity which is demonstrated by a program
  that can penetrate others.
• The computer lives. Most hackers have a social
  and personal relationship with their computer.

32
The Hackers Ethics

• Access to computers should be unlimited and
  total.
• Always yield to the Hands-On Imperative
• All information should be free.
• Mistrust authority--promote decentralization.
• Hackers should be judged by their hacking.
• You can create art and beauty on a computer.
• Computers can change your life for the better.

33
Qualities

• Young. Most are under 30 and concentrated around
  colleges and universities.
• Bright. A good hack results from meeting a
  challenge which will require in many cases
  exceptionally high intelligence.
• Understanding, Prediction and Control. These
  three conditions seem to bring a sense of
  competence, mastery, and self-esteem.
• Computer fascination. For many of us the computer
  is simply a tool. For the hacker it is an
  unendingly fascinating toy - a mystery wrapped in
  an enigma to be explored and understood.
• No malice. The good hacker does no damage.

34
Social view is

• Misguided youths. Hackers are misguided youths
  and are essentially harmless.
• Their intelligence and creativity should be
  encouraged but directed toward more constructive
  channels.
• Security specialists. Hackers know the corporate
  security weaknesses.
• They should be hired as security specialist and
  their expertise utilized to protect the
  corporate vital information resources.
• Scumbags. Hackers are the scum of the earth and
  should be treated as varmints and hunted down
  with dogs and put away for life.
• Ordinary criminals. Hackers should be treated no
  different than any other criminals.
• Human nature inevitably breeds predators and it
  is the responsibility of everyone to put in place
  the necessary controls to protect their valuables

35
From the Hackers mouth

• "Hacking to me is to transcend custom and
  engage in creativity for its own sake..."
• "For the most part, its simply a mission of
  exploration. In the words of the captain of the
  starship Enterprise, Jean-Luc Picard, "Let's see
  what's out there!"
• "Its like picking a lock on a cabinet to get a
  screwdriver to fix a radio. As long as you put it
  back what's the harm?"
• "Although computers are part "property" and part
  "premises" ..... they are supreme instruments of
  speech..... We must continue to have absolute
  freedom of electronic speech."
• "Thousands of people legally see and use this
  ever-growing mountain of data much of it
  erroneous. Whose rights are we violating when we
  peruse the file. ...The invasion took place long
  before the hacker ever arrived."
• "Crime gets redefined all the time. Offend
  enough people or institutions and lo and behold,
  someone will pass a law."
• "At the risk of sounding like some digital posse
  comitatus, I say Fear The Government That Fears
  Your Computer."

36
What you mean by Hacker?

• A Hacker is someone who has achieved some level
  of expertise with computers.
• A Cracker is someone who breaks into systems
  without permission.
• A Script Kiddie is someone who uses scripts or
  programs from someone else to do his/her
  cracking.
• Other terms are leech, warez puppy, warez dood,
  lamer and rodent.
• A Phreaker is a hacker who specializes in
  telephone systems.
• A White Hat is someone who professes to be
  strictly a good guy.
• A Black Hat is someone who is viewed as a bad
  guy.
• A Grey Hat is someone who falls in between White
  and black

37
What motivates the hacker?

• Psychological Need/Recognition.
• Desire to Learn/Curiosity.
• Revenge/Maliciousness.
• Experimentation.
• Gang Mentality.
• Misguided trust in other individuals.
• Altruistic reasons.
• Self-gratification.
• Desire to Embarrass.
• Joyriding.
• Scorekeeping.
• Espionage.
• Cyber-Warrior

38
Typical attacks are

• Insider Attack.
• Social Engineering.
• Virus Infiltration.
• Denial of Service.
• Software Bug.
• Password Infiltration.
• Lack of Security Infiltration.
• IP Spoofing.
• Trojan Horse.
• Stealth Infiltration.
• Brute Force.
• TCP/IP Protocol Flaw.
• Worms and viruses

39
Typical Attacks come from

• 49 are inside employees or contractors on the
  internal network.
• 17 come from dial-up from inside employees.
• 34 are from the Internet.
• The major financial loss is due to internal
  hacking.

40
What characteristics make a GOOD target?

• Lax Security (Hard on the outside, soft on the
  inside!).
• High visibility makes a good "Scorekeeper" site.
• High visibility makes a good "Embarrassment"
  site.
• Resources that are useful to the hacker.
• Destruction of ability to provide service to
  customer.

41
Examples

• The Cuckoo's Egg discussed four hackers, Dirk
  Brzesinski, Peter Carl, Markus Hess and Karl
  Koch, from Hannover, Germany, penetrated or
  attempted penetration of at least 50 computers
  connected to MILNET.
• These systems included the Pentagon, Lawrence
  Livermore Labs, the Los Alamos Nuclear Weapons
  Systems and the National Computer Security
  Center.
• They exploited these systems by means of
  weaknesses in TCP/IP and the UNIX operating
  systems.
• One of their favorite techniques was to plant
  Trojan Horses to steal authorized passwords.
• The German Chaos Computer Club brought "chaos" to
  the national Aeronautics and Space Administration
  computer systems in the late 1980s.
• They primarily planted Virus programs at the
  Goddard Space Flight Center in Greenbelt, Md.
• They gained access through a Unix flaw that the
  system administrator had failed to patch.

42
Examples

• Eberhard Blum, part of the Bundesnachrichtendienst
  (BND), is reputed to have instituted a program
  called Project Rehab composed of computer
  scientist designed to penetrate the
  communications systems of the Eastern block.
• This organization since the fall of the Eastern
  block is reputed to have targeted the west.
• The Direction Generale de la Securite Exterieur
  (the French CIA) is reputed to target foreign
  businesses.
• Their favorite US targets seems to have been IBM
  and TI.
• They are reputed to search visitor rooms looking
  for information on laptops and to bug Air France
  flights.
• The French are reputed to auction these
  industrial secrets to the highest corporate
  bidder.
• The Ministry for International Trade (MITI) is
  reputed to coordinate the industrial espionage
  activities of Japanese corporations.
• These secrets are funneled through MITI which
  uses the information as part of their national
  industrial policy.
• China, the former Soviet Union, France, Japan,
  Israel, Sweden, Switzerland and UK are reputed to
  be to be the most active in national industrial
  espionage

43
Examples

• Robert Morris Jr, Cornell University, brought the
  Internet to its knees in 1988 through the
  "Internet Worm".
• The Worm consumed computer resources making them
  unavailable to others thereby either halting the
  computer or slowing it to a crawl. The worm
  primarily consisted of two attack programs.
• A program designed to exploit the backdoor DEBUG
  command in Sendmail,
• a Finger daemon program to inundate the Finger
  daemon's input buffer and a password guessing
  program.
• The Legion of Doom (LoD) and the Masters of
  Destruction(MoD) were two of the major computer
  gangs in the late 80s and early 90s.
• They were from Brooklyn, the Bronx and Queens.
• They wiretapped, intercepted data transmissions,
  reprogrammed phone computer switches, stole and
  sold passwords, etc.
• The LoD were convicted in 1992 apparently turned
  in as a result of a falling out with other
  hackers.

44
Rome Lab Attack

• On 28 March 1994 the Rome Labs Sysadmins detected
  a password Sniffer.
• The Sniffer had collected so much information
  that it had filled a disk and crashed the system
• Defense Information Systems Agency (DISA) was
  notified who, in turn, notified AFOSI. Air Force
  Information Warfare Center (AFIWC) was notified
  and SA Jim Christi was assigned the case.
• The investigators, after reviewing the logs and
  interviewing the Sysadmins, found that
• The penetration was made on March 23 by two
  hackers.
• They penetrated seven computers and planted
  sniffers.
• 100 accounts on 30 systems were compromised.
• Rome Lab had been used as a jumping off point
  for hack attacks on other military, government
  and research facilities around the world.
• The Commanding officer was briefed and made the
  decision to leave several systems open in the
  hopes of tracking the hackers.
• Pursue and Prosecute

45
Rome Lab Attack

• The investigative team established a snooper
  program that began key stroke monitoring on the
  systems left open and discovered the hacker
  handles Datastream Cowboy and Kuji .
• The majority of the attacks were traced back to
• cyberspace.com, Seattle Washington and
• mindvox.com, New York City.
• On 5 April, an Internet informant provided AFOSI
  an EMail address and home Telephone number
  (Datastream) in the UK of a hacker who had been
  bragging about the exploit.
• Scotland Yard initiated a pen register on the
  hackers telephone while AFOSI continued to
  monitor Datastream's online activity. During this
  time, based upon sniffed passwords, he
• Attacked systems at the Jet Propulsion Lab in
  California and
• Attacked systems at the Goddard Space Flight
  Center, Greenbelt ,Md
• Compromised an Aerospace contractor systems in
  California and Texas
• Initiated a scan against Brookhaven Labs , DOE,
  in NY.

46
Rome Lab Attack

• On April 14/15, 1994 the investigative team
  observed Kuji initiate attacks from Latvia
  against
• Goddard Space Flight Center
• Wright-Patterson AFB
• NATO Headquarters
• In the meantime Datastream was busily attacking
  the Korean Atomic Research Inst. Alarm bells
  started going off until it was discovered to be
  South Korea.
• In May, 1994 Scotland Yard executed a search
  warrant and arrested 16 year old Richard Pryce.
  His tool was a 25 Mhz, 486SX, 170 Mb machine.
• During the interview Datastream indicated
• He communicated with Kuji only through the
  Internet or Telephone.
• He provided the information he stole to Kuji.
• Kuji had been his mentor.
• Pryce pleaded guilty and was fined 1,200 pounds.
• In June 1996 21 year old Matthew Bevan, A.K.A.
  Kuji, was finally apprehended. In 1997 Charges
  against him were dropped due to lack of evidence.
  
• Kuji is now a security consultant. His web site
  is www.bogus.net/kuji.

47
A Typical Hacker Attack
48

• THE BOEING ATTACK - 1995

November 1995 1. A computer
consultant noticed the system was sluggish. (a).
He executed the top command to determine what was
slowing down the system. (b). A program called vs
was consuming a large amount of system resources
and was running as superuser. 2. He next ran
ps. a). vs did not appear so he suspected a
break-in. 3. He executed the Emacs dired command
and found the vs program in a directory called
/var/.e/vs. 4. He next did a chdir() to the
/var directory and did a ls -a command. (a). The
directory /var/.e was not displayed.
5. The programmer used the
tar command to make a copy of the /var/.e, /bin
and /etc directories. (a) He copied this to
another computer. 6. The programmer then shut
down the system. 7. He next examined the
/bin/login file and found it had been modified to
allow logging in with a special password. 8.
This seemed to be an exceptionally sophisticated
attack.
Hacker
INTERNET
Modem Attack
Boeing Computer
Trusted Connection
Trusted Connection
Trusted Connection
Education Computer
Government Computer
Commercial Computer
49

• THE BOEING ATTACK - 1995

9. He found the /var/.e/vs was a password sniffer
which passed copied passwords to a remote
computer. 10. He found the /bin/ls and /bin/ps
command had been modified to not display the
directory /var/.e. 11. He also found the /bin/ls,
/bin/ps and /bin/login file creation dates and
modification times had been reset to the original
dates and times. 12. He found, in addition, that
the checksums for the modified commands matched
those of the original unmodified versions. A
comparison of the modified programs with the
backup version revealed the differences.
Hacker
INTERNET
Modem Attack
Boeing Computer
Trusted Connection
Trusted Connection
Trusted Connection
Government Computer
Education Computer
Commercial Computer
50
Attack Methodology

• What to Attack (selecting a network/target)?
• 1. Internet
• a. Access the Network Information Center. The
  InterNic provides Registration (rs.internic.net),
  Database (ds.internic.net) and Information
  (is.internic.net) Services.
• b. whois server to obtain public information on
  hosts, networks, domains and system
  administrators.
• c. WWW using the Uniform Resource Locator(URL
  notation).
• d. DNS to acquire the dotted decimal address.
• e. traceroute to determine intermediate networks.
• f. SNMP to dump a router table.
• g. Archie to establish the locations of files.
  Archie is a server with an index of filenames.
• h. Gopher as an ftp interface. Gopher allows
  access to resources through menus.

51
Attack Methodology

• 2. Telecommunication/Modem
• a. Social Engineering.
• b. Dumpster Diving
• c. Demon Dialing(Scanning/Autodialing/WarDialing)
• c. Wiretapping
• d. Optical-spying
• e. Cheese box(unauthorized call forwarding)
• f. Piggybacking
• g. Call Forwarding
• h. Password Breaker
• i. Parking Lots
• j. Shoulder Surfing
• k. Socializing
• l. Stealing Laptops
• m. Wireless Communication

52
Attack Methodology

• Who to Attack (selecting a host)?
• 1. Ping the address with an ICMP Echo Request.
  This can also be used to find the route of the
  packet to the address.
• 2. DNS with a reverse name look-up to translate
  the numeric address into a domain name address.
• 3. DNS HINFO records provide the hardware and
  operating systems release which will be helpful
  in formulating an attack.
• 4. Pinglist (a modification of traceroute with
  udp) to map the network.
• 5. Netmappers are publicly available.
• 6. Portmappers are publicly available.
• 7. The Login Screen can be used to derive
  information about the target.

• Note Breadth is more important than innovation
• Select a known vulnerability rather than expose a
  new one.

53
Attack Methodology

• Testing the host (finding a weakness).
• Note Weaknesses are generally specific to an
  operating system, host hardware or due to old
  bugs that have not been patched.
• Utilize Internet Security Scanner(ISS) or
  Security Analysis Tool for Auditing
  Networks(SATAN) to scan for various holes.
• a. Check for unprotected logins or mail alias(
  sync,guest,lp,etc.). Does not require a password.
• b. Connect to mail port with Telnet and logs
  mailer type and version.
• c. Attempts an anonymous FTP connection and trys
  to grab the /etc/passwd file by using the root
  account. May want a list of supported commands.
• d. rpcinfo to test for services running. This
  program prints out the current portmapper which
  details what Remote Procedure programs, ports,
  and protocols are active. Looking for NFS/mountd,
  yp/ms, rexd.
• e. ypx to attempt to grab the passwords through
  the Network Information System(NIS), originally
  called Yellow Pages, in order to invoke some type
  of dictionary attack.
• f. Transitive Trust Analyser to learn the source
  of logins and to recursively probe those hosts.
• g. fping to determine Internet connection or
  Firewall.

54
Attack Methodology

• Hacker goals after penetration
• Leave no evidence of the successful attack.
• The good hack retains a cloak of invisibility.
• Fetch and crack the /etc/passwd file.
• Obtain machine root(superuser) access.
• Install password sniffing tools to collect data
  for later retrieval.
• Install two or more security backdoors (security
  holes).
• Check the /etc/hosts or .rhosts files for
  trusted hosts.
• Check the mail alias database and log files.
• Run security auditing programs such as
• COPS
• Internet Security Scanner(ISS)
• Security Analysis Tool for Auditing
  Networks(SATAN

55

• - A Hackers View -

56
HACKER

• Note A hacker spends 60-70 hours/week Hacking!
• Why?
• A challenge/A game of wits/skill and ingenuity.
• A sense of enjoyment/Accomplishment.
• Intensely interested in computers.
• Hacker Profile
• Teens or early twenties.
• A fast learner.
• Academically advanced.
• Bored in school.
• Hackers grow up to become computer professionals.
• As many as 80 of all system operators claim to
  have hacked.

57
Hacker is

• The Student
• Very bright but bored.
• Excited by learning more about computers.
• They will spend days examining files on a
  system.
• Hacking is a solitary pastime - not antisocial
  behavior.
• Generally adheres to good computer ethics.
• He wants to remain undiscovered so he can use the
  system.
• He wants to stay out of trouble.
• He respects the system/programmers and doesn't
  want to create additional work.
• He may seek employment with the company (at just
  the right time with just the right credentials).

58
Hacker is

• The Crasher
• A troublemaker.
• No obvious purpose or logic to their hacking.
• Makes themselves visible by creating as much
  trouble as possible.
• They are very patient and plan their attack to
  accomplish the most damage.
• Erases programs, files, etc
• Crashers don't have a good reputation with other
  hackers.
• They crash hacker bulletin boards, close down
  hacker accounts, etc.
• The Crasher must be stopped during the
  reconnaissance phase.

59
Attack Methodology

• Step One - The Target Reconnaissance.
• Target Reconnaissance, sometimes called
  footprinting, is when the Hacker gathers
  information about the target system and the
  network.
• Search the Internet - Web sites, IRC,
  newsgroups, etc.
• Use the Domain Information Grouper(DIG) to
  attempt a Zone Transfer.
• Gather information on network users through the
  Web, newsgroups, telephone books, Social
  Engineering, Dumpster Diving, examine cars, etc.
• This will reveal password combination and the
  policy for determining user names.

60
Attack Methodology

• For example
• whois xyz.abc will find hosts on the xyz.com
  network
• nslookup on xyz.abc will return information
  contained in the xyz.xom DNS.
• utilize a zone transfer program (DIG or
  named.xfer) to retrieve the DNS files from the
  primary DNS.
• Utilize the ping command to determine which
  systems are connected to the Internet.
• telnet navy.mil will determine the machine type
  and OS version.
• Utilize telnet to port 25 to determine the
  sendmail version and machine type.
• Utilize rpcinfo to scan for active ports and
  return a list of rpc programs running on the
  machine w/version numbers and port numbers.
• Utilize finger to get a list of users on the
  system, etc.

61
Typical Hacker Attacks

• VIRUS. A self-replicating, malicious program
  segment that attaches itself to legitimate
  application programs, operating system commands
  or other executable system components and spreads
  from one system to another.
• Each reproduced virus code then grows
  independently of the other.
• The virus grows geometrically.
• Boot Sector. A virus that replaces the boot
  sector of a floppy or hard drive.
• System File. A virus that infects system files.
• Stealth. A virus that hides itself and actions
  from the operating system.
• Polymorphic. A virus that changes itself each
  time it infects a file or disk. This virus hides
  itself and its actions from the operating system.
• Multi-Parite. This virus infects both files and
  boot sectors.
• Macro Virus. This virus is written in a macro
  language and is commonly found in software
  containing a scripting language such as Word,
  Excel, and Powerpoint.

62
Typical Hacker Attacks

• WORM. An independent program that replicates from
  machine to machine across network connections and
  that clogs networks and computer systems as it
  spreads.
• It is designed to search for idle computer
  memory and then to copy itself repeatedly until
  the memory is exhausted and the computer crashes.
  
• A worm is not a virus although they are
  sometimes confused.
• A virus must infect other programs with a copy
  of itself.
• The most famous is the Internet Worm by Robert
  Morris.

63
Typical Hacker Attacks

• IMPERSONATION. An attempt to gain access to a
  system by posing as an authorized user.
  Synonymous with masquerading and mimicking.
• Example using another person's access code to
  log on.
• BOMBS. A computer program residing in a computer
  that is executed at appropriate or periodic times
  to determine conditions or states of a computer
  system and that facilitates the perpetration of
  an unauthorized act.
• Example a program that causes the system to
  erase all financial files when it discovers that
  a particular person has been removed from the
  personnel files. Writing Logic Bombs is very easy
  but difficult to detect.
• A Time Bomb has a time trigger.
• A Logic Bomb has a computer state trigger.

64
Typical Hacker Attacks

• TRAP DOOR. A breach created intentionally in an
  ADP system for the purpose of collecting,
  altering or destroying data.
• Generally done through putting extra code in a
  software program which acts as a testing aid for
  programmers during construction, testing or
  program maintenance.
• TROJAN HORSE. A computer program that is
  apparently or actually useful but that performs
  another function.
• The Trojan can modify databases, write checks,
  send electronic mail, destroy File Allocation
  Tables, directories or files.
• The Trojan Horse can be embedded by a programmer
  or down loaded from a BBS.
• Most Trojan Horses in the microcomputer detonate
  their payload the moment they run not only
  carrying out their intended function but also
  destroying themselves.

65
Typical Hacker Attacks

• SOFTWARE PIRACY. The illegal copying of software
  (and repackaging it for sale).
• Software piracy is being fought by the Software
  Publishing Association.
• Indications are that this amounts to between
  4-7 billion loss in sales.
• This results from individual copying, Pirate
  BBS, country piracy(China, Taiwan, Singapore,
  etc)and try before buying rental/loans.
• SNIFFING. The installation of protocol analyzer
  software program (Sniffer) to gather
  surreptitiously gather user passwords and
• log them into and unused space under an
  innocuous name, such as "..".
• The hacker at some time in the future will
  return and download the passwords and if
  necessary employ a Password Cracker.

66
Typical Hacker Attacks

• BROWSING. Searching through storage to locate or
  acquire information, without necessarily knowing
  of the existence or the format of the information
  being sought.
• DATA DIDDLING. The unauthorized changing of data
  before or during their input to a computer system
  resulting in increased paychecks, extra leave,
  overtime pay, etc.
• EMBEZZELING. Using a computer to prepare false
  financial reports.
• FORGERY. The illegal creation of documents or
  records which are intended to be construed as
  real, officially produced documents or records.
• For example, using desktop publishing to create
  a false drivers license, social security card or
  passport.

67
Typical Hacker Attacks

• FRAUD. The exploitation of information systems
  in an attempt to deceive an organization and/or
  to take its resources.
• DENIAL OF SERVICE. This is performed by trashing
  a system, tying up ports, placing garbage on
  screens, changing file names, and erasing program
  files.
• This type attack is becoming more common(
  Spamming, SYN Attack, etc).
• SPOOFING. The deliberate inducement of a user or
  a resource to take incorrect action.
• Example a user writes a program that gives
  "system like" responses to someone trying to log
  on the system thus, the person trying to log on
  will unwittingly give his password to the
  person/program doing the spoofing.

68
Typical Hacker Attacks

• SUPERZAPPING. The unauthorized use of a utility
  computer program that violates computer access
  controls to modify, destroy, copy, disclose,
  insert, use , deny use or expose data in a
  computer.
• The name derives from an IBM utility program
  called "Superzap" which permitted an operator to
  start, stop or modify a procedure that has been
  misbehaving.
• The equivalent in a microcomputer would be
  something like PC Tools or Norton Utility.
• SALAMI TECHNIQUES. The unauthorized, covert
  process of taking small amounts (slices) of money
  from many sources in and with the aid of a
  computer.
• An example is the round down fraud, whereby
  remainders from the computations of interest are
  moved to the attackers account instead of being
  systematically distributed among accounts that
  were rounded up.
• The story is told of a Russian worker who left
  the factory each night with a wheelbarrow full of
  sawdust and every night the guard poked the
  sawdust and upon finding nothing let him pass.
  Several years later, after both were retired,
  they accidentally met in a bar and the guard
  asked him what he was stealing in the wheelbarrow
  to which the worker replied "Oh, I was stealing
  the wheelbarrows."

69
Typical Hacker Attacks

• PIGGY BACKING. Unauthorized access that is gained
  to an ADP system via another user's legitimate
  connection.
• A method of gaining unauthorized physical access
  to guarded areas when the attacker does not
  possess the required authorization to pass.
• Electronic piggybacking occurs when a computer
  or terminal covertly shares the same
  communication line as an authorized user. The
  host computer, to which they both transmit, is
  unable to distinguish the signals of the
  authorized user from those of the unauthorized
  user.
• EAVESDROPPING. The unauthorized interception of
  information-bearing emanations through the use
  of methods other than wiretapping(TEMPEST).
• SCAVENGING. Searching through residue for the
  purpose of unauthorized data acquisition.
• A covert, unauthorized method of obtaining
  information that may be left in or around a
  computer system after the execution of a job.
• Included here is a physical search (trash
  barrels, carbon copies, ribbons, diskettes, etc)
  and a search for residual data within the
  computer storage areas, temporary storage tapes,
  and the like.
• This, for example, encompasses dumpster diving,
  unerasing diskette files, examining scratch tapes
  and looking at old ribbons.

70
Typical Hacker Attacks

• BUMBLING. Sometimes called "accidents", "errors
  of omission", or "errors of commission".
• Indications are that this amounts to 50-60 of
  annual dollar loss. This is the result of clumsy
  fingers, big thumbs, and improper training,
• DATA LEAKAGE. The covert copying of computer
  information and its removal from the
  organization.
• For example, this could be as simple as the
  copying of a software program for home use.
• This can be accomplished through diskettes, tape
  or hard copy. Very rarely do guards perform body
  checks or open brief cases.
• WIRETAPPING. Normally accomplished at the wiring
  closet.
• Passive Wiretapping with electrical induction
  can easily be accomplished with a tape recorder,
  microphone, AM/FM portable radio, a modem and a
  printer. The cassette recorder, through induction
  picks up the signal, amplifies it through the
  radio, perhaps acoustic coupling it through a
  modem which converts the analog signal to digital
  for printing.
• Active Wiretapping is the monitoring and
  recording of data while the data is being
  transmitted over a communications link.