We are hackers. The term "hacker" originally meant someone who understood
computers deeply; however, as computers became popular, the media used hacker to
refer to those who committed computer crimes, and so the population at large
learned the term in the context of the computer criminal. This bothered us
ethical hackers, so we began calling malicious hackers "crackers" in order to
differentiate them from us. So far, it hasn't worked very well most people
outside the computer security world don't understand the difference. After much
contemplation, we have decided to use the term hackers to refer to anyone who
would break into your computer systems because we're not differentiating their
motivations. It doesn't matter to us whether the hacker is malicious, joyriding,
a law enforcement agent, one of your own employees, an ethical hacker you've
paid to attempt to break into your network, or even one of your humble authors.
This article is about keeping everyone out. We use the term hacker because it
encompasses all these motivations, not just those of the malicious cracker.
Hacker Species
Learning to hack takes an enormous amount of time,
as do acts of hacking. Because of the time hacking takes, there are only two
serious types of hackers: the under employed, and those hackers being paid by
someone to hack. The word "hacker" conjures up images of skinny teenage boys
aglow in the phosphorescence of their monitors. Indeed, this group makes up the
largest portion of the teeming millions of hackers. These hackers are now
referred to as "script kiddies" in the hacking world, because they download
hacking programs called scripts from hacking-interest websites and then try them
out in droves against public servers on the Internet. While script kiddies don't
do anything innovative, their sheer numbers ensure that any exploits you are
vulnerable to will actually be run against you. Because of script kiddies, you
simply cannot presume that you won't be found because you aren't famous or in
the public eye.
Quite specifically, hackers fall into these categories,
in order of increasing threat:
Security experts (me included) are capable of hacking,
but decline from doing so for moral or economic reasons. Computer security
experts have found that there's more money in preventing hacking than in
perpetrating it, so they spend their time keeping up with the hacking community
and current techniques in order to become more effective in the fight against
it. A number of larger Internet service companies employ ethical hackers to test
their security systems and those of their large customers. Hundreds of former
hackers now consult independently as security experts to medium-sized
businesses. These experts are often the first to find new hacking exploits, and
they often write software to test or exacerbate a condition. However, unethical
hacker scan exploit this software just as they can exploit any other
software.
I have placed security experts as the lowest threat because if
they became a threat, they would, by definition, immediately become criminal
hackers. The problem with security experts is the same as with any trusted and
powerful (in this specific context) individual what do you do when they turn on
you? In those rare cases where a security expert goes to the dark side, the
damage is far reaching and can be so vast that it's difficult to determine
exactly what happened. The rarity of this event, not the possible consequences,
is what makes security experts a low threat. Even a security expert who is
exceptionally ethical can be pissed off; I myself perform self-defense hacking
against those who show up with blatant hacking attempts in my firm's firewall
logs (which is technically illegal).
In rare cases, the dividing line
between a hacker and a security expert is so blurred that they can only be
distinguished by their activities. This is the case with groups like the
now-defunct L0pht, a cadre of expert hackers that converted into security
experts operating a for-profit business. They have, to all appearances, ceased
illegal activities, but they write software that is useful both for security
administration and hacking; their sympathies lie firmly with the hacking
community.
These security experts understand more about hacking than any
academic study could ever provide. Their ethos is that the only secure
environment is one well tested for security failure. They come under constant
fire from those who don't understand that the people who find a problem and
publicize it aren't encouraging hacking—they're preventing it
The work of
security experts and hackers in general has had the effect of boosting the
Internet's immunity to attack. Imagine what would happen if nobody hacked:
Firewalls would be unnecessary, encryption would be unnecessary, and the
Internet would be a simpler place. The first criminal hacker to come along would
have free and unencumbered access to everything.
The motivation of
security vendors, however, can be extremely murky. For example, E-eye is in the
business of finding security holes in IIS because they sell software that
filters connections on IIS servers. Whenever their research uncovers an exploit
that IIS is vulnerable to (and oddly, that their software protects against) they
immediately publish the details, knowing full well that a hacker will write an
exploit for it, that script-kiddies will download it, that thousands of web
servers will be compromised, and that the administrators of those web servers
will buy their software. This would be as if the virus scanner companies wrote
the very viruses they are supposed to protect your computer against.
Script Kiddies
Script kiddies are students who hack and
are currently enrolled in some scholastic endeavor—junior high, high school, or
college. Their parents support them, and if they have a job it's only
part-time.They are usually enrolled in whatever computer-related courses are
available, if only to have access to the computer lab. These hackers may use
their own computers, or (especially at colleges) they may use the greater
resources of the school to perpetrate their hacks.
Script kiddies are
joyriding through cyberspace looking for targets of opportunity and are
concerned mostly with impressing their peers and not getting caught. They
usually are not motivated to harm you, and in most instances, you'll never know
they were there unless you have some alarm software or a firewall that logs
attacks. These hackers constitute about 90% of the total hacking activity on the
Internet.
If you considered the hacking community as an economic
endeavor, these hackers are the consumers. They use the tools produced by
others, stand in awe of the hacking feats of others, and generally produce a fan
base to which more serious student hackers and underemployed adult hackers play.
Any serious attempt at security will keep these hackers at bay.
Script
kiddies hack primarily to get free stuff: software and music, mostly. They
pirate software amongst themselves, make MP3 compressed audio tracks from CDs of
their favorite music, and trade the serial numbers needed to unlock the full
functionality of demo software that can be downloaded from the
Internet.
If you want to find hackers on the Internet, you need to know
the unique words to search for their community web pages. Hackers have adopted
the convention of replacing the plural "s" with a "z," specifically for the
purpose of making it easy to use a search engine to find their sites. They also
use jargon to refer to the various commodities of their trade:
Warez -
Software packages mp3z - Music, from the MPEG-3 encoding scheme used for
compression serialz - Serial numbers and unlock codes hackz - Hacking
techniques crackz - Patches that will remove the license checks from
software packages
Do a web search using these terms to see what you come
up with.
Underemployed Adult Hackers
Underemployed adults
are former script kiddies who have either dropped out of school or who have
failed to achieve full-time employment and family commitments for some other
reason. They usually hold "pay the rent" jobs. Their first love is probably
hacking, and they are quite good at it. Many of the tools script kiddies use are
created by these adult hackers.
Adult hackers are not outright criminals
in that they do not intend to harm others. However, the majority of them are
software and content pirates, and they often create the "crackz" applied by
other hackers to unlock commercial software. This group also writes the majority
of the software viruses.
Adult hackers hack for notoriety in the hacking
community they want to impress their peers with exploits and information they've
obtained, and to make a statement of defiance against the government or big
business. These hackers hack for the technical challenge. This group constitutes
only about a tenth of the hacking community, but they are the source for the
vast majority of the software written specifically for hackers.
A new and
important segment of underemployed adults has recently emerged from the former
Warsaw Pact nations. Because of the high quality of education in those countries
and the current economic conditions, hundreds of thousands of bright and
otherwise professional people hack.Sometimes they have an axe to grind, but most
often they are simply looking for something that will make or save them money,
like pirated software. Professors, computer scientists, and engineers from those
countries have turned their hopes to the Internet looking for employment or what
ever else they can find. Students graduate from college, but for lack of
employment never graduate from hacking. For similar economic reasons, and
because of technological penetration into their society,Israel, India, and
Pakistan have recently become hotbeds of hacking activity.
The global
nature of the Internet means that literally anyone anywhere has access to your
Internet connection machines. In the old days, it took at least money or talent
to reach out and hack someone. These days, there's no difference between hacking
a computer in your neighborhood and one on the other side of the world. The
problem is that in many countries, hacking is not a crime because intellectual
property is not strongly protected by law. If you're being hacked from outside
your country, you won't be able to bring the perpetrator to justice even if you
found out who it was, unless they also committed some major crime, like grand
theft of something other than intellectual property
Ideological
Hackers
Ideological hackers are those who hack to further some
political purpose. Ideological hacking is most common in hot political arenas
like environmentalism and nationalism.
These hackers take up the standard
of their cause and (usually) deface websites or perpetrate denial-of-service
attacks against their ideological enemies. They're usually looking for mass
media coverage of their exploits, and because they nearly always come from
foreign countries and often have the implicit support of their home government,
they are impervious to prosecution and local law.
While they almost never
direct their attacks against specific targets that aren't their enemies,
innocent bystanders frequently get caught in the crossfire. Examples of
ideological hacking are newspaper and government sites defaced by Palestinian
and Israeli hackers both promulgating their specific agendas to the world, or
the hundreds of thousands of IIS web servers exploited by there cent "Code Red"
worm originating in China, which defaced websites with a message denigrating the
U.S. Government. This sort of hacking comes in waves whenever major events occur
in political arena. While it's merely a nuisance at this time, in the future
these sorts of attacks will consume so much bandwidth that they will cause
chaotic "weather-like" packet storms.
Criminal
Hackers
Criminal hackers hack for revenge or to perpetrate theft.
This category doesn't bespeak a level of skill so much as an ethical standard
(or lack thereof). Criminal hackers are the ones you hear about in the
paper—those who have compromised Internet servers to steal credit card numbers,
performed wire transfers from banks, or hacked an Internet banking mechanism to
steal money.
These hackers are as socially deformed as any real criminal;
they are out to get what they can from whom ever they can regardless of the cost
to the victim. Criminal hackers are exceedingly rare because the intelligence
required to hack usually also provides ample opportunity for the individual to
find some socially acceptable means of support.
Corporate
Spies
Actual corporate spies are also rare because it's extremely
costly and legally very risky to employ these tactics against competing
companies. Who does have the time, money, and interest to use these tactics?
Believe it or not, these attacks are usually engaged against high-technology
businesses by foreign governments. Many high-technology businesses are young and
naive about security, making them ripe for the picking by the experienced
intelligence agencies of foreign governments. These agencies already have
budgets for spying, and taking on a few medium-sized businesses to extract
technology that would give their own corporations an edge is
commonplace.
Nearly all high-level military spy cases involve individuals
who have incredible access to information, but as public servants don't make
much money. This is a recipe for disaster. Low pay and wide access is probably
the worst security breach you could have if you think your competition might
actually take active measures to acquire information about your
systems.
For some, loyalty is bought, and it goes to the highest bidder.
Would someone at your company who makes ten dollars an hour think twice about
selling their account name and password for a hundred thousand dollars? Money is
a powerful motivator, especially to those with crushing debt problems. Many
spies are also recruited from the ranks of the socially inept using love, sex,
or the promise thereof. Think about the people who work with you would every one
of them be immune to the charms of someone who wanted access?
Remember
that these sorts of attacks are not generally perpetrated by your domestic
competition, but by the governments of foreign competitors. Domestic competitors
prefer the time-honored (and legal) method of simply hiring away those
individuals in your company who created the information that your network
stores. There's very little that can be done about this sort of security breach,
unless you already have employment agreements in place that stipulate
non-competition when employees leave the company.
Disgruntled
Employees
Disgruntled employees are the most dangerous security
problem of all. An employee with an axe to grind has both the means and the
motive to do serious damage to your network. These sorts of attacks are
difficult to detect before they happen, but some sort of behavioral warning
generally precipitates them.
Overreacting to an employee who is simply
blowing off steam by denigrating management or coworkers is a good way to create
a disgruntled employee, however. So be cautious about the measures you take to
prevent damage from a disgruntled employee.
Also remember that outsourced
network service companies may have policies that make them hard to replace if
you decide you no longer wish to retain their services, and that disgruntled
small companies tend to behave a lot like disgruntled employees. There's very
little that can be done about attacks that come from people with an intimate
knowledge of your network, so you should either choose your service providers
wisely and exercise a lot of oversight, or require the escort of a trusted
employee at all times.
Unfortunately, there's very little you can do
about a disgruntled employee's ability to damage your network. Attacks range
from the complex (a network administrator who spends time reading other people's
e-mail) to the simple (a frustrated clerk who takes a fire-axe to your database
server).
Yes, all major operating systems have built-in internal security
features that are useful for keeping users in line, but anyone who's ever been
an administrator on your network knows all the holes, all the back doors, other
people's passwords, and the "administrative" tools that can be used to cause all
sorts of local exploits on machines. No version of any major operating system
has been immune to "root level" access exploits within the last 12 months, not
even the super-hardened OpenBSD. If someone with console access to a running
server wants to take it down, it's going down no matter what security measures
you have in place.
Accountability and the Law are your friends in this
situation. Unlike hackers, it's very easy to track down disgruntled users and
apply the force of the law against them. Accountability keeps these attacks
relatively rare.
Vectors of Attack
There are only four ways
for a hacker to access your network:
- By using a computer on your
network directly - By dialing in via a RAS or remote control server - By
connecting over the Internet - By connecting to your network directly
(usually via a wireless LAN).
There are no other possible vectors. This
small number of possible vectors defines the boundaries of the security problem
quite well, and as the following sections show, make it possible to contain them
even further.
Physical Intrusion
Hackers are
notoriously nonchalant and have, on numerous occasions, simply walked into a
business, sat down at a local terminal or network client, and began setting the
stage for further remote penetration.
In large companies, there's no way
to know everyone by sight, so an unfamiliar worker in the IS department isn't
uncommon or suspicious at all. In companies that don't have ID badges or
security guards, there isn't anybody to check credentials, so penetration is
relatively easy. And even in small companies, it's easy to put on a pair of
coveralls and pretend to be with a telephone or network wiring company, or even
pose as the spouse of a fictitious employee. With a simple excuse like telephone
problems in the area, access to the server room is granted (oddly, these are
nearly always co-located with telephone equipment). If left unattended, a hacker
can simply create a new administrative user account. A small external modem can
be attached and configured to answer in less than a minute, often without
rebooting your server
Other possible but rarer possibilities include
intruding over a wireless link or tapping some wide area network to which your
network is directly attached, like an X.25 link or a frame relay
connection.
Solving the direct intrusion problem is easy: Employ strong
physical security at your premises and treat any cable or connection that leaves
the building as a public medium. This means you should put firewalls between
your WAN links and your internal network, or behind wireless links. By employing
your firewalls to monitor any connections that leave the building, you are able
to eliminate direct intrusion as a vector.
The final direct intrusion
problem is that of a hacker who works for your company. This problem is far more
difficult to solve than border security, because the perpetrator has a valid
account on your network and knowledge of the information it contains. Solving
the disgruntled employee/spy problem requires such stringent security measures
that your network may become difficult to use for legitimate employees. Many
companies find that it's simply not worth the bother and allow the threat to go
unchecked.
There is a better way to deal with this remote possibility:
strong auditing. Unlike permission-based restriction to resources, an audit
approach allows wide access to information on the network and also tracks
everything employees do with that access. This doesn't prevent theft or loss of
information, but it does show exactly how it occurred and from which account the
attack was perpetrated. Because you know the perpetrator directly, you will be
able to bring criminal charges against them.
It's most effective to let
all employees know that the IT department audits everything that comes and goes
in the network for the purpose of security. This prevents problems from
starting, since potential miscreants become aware that hacking attempts would be
a dead giveaway.
Dial-up
Dial-up hacking via modems
used to be the only sort of hacking that existed, but it has quickly fallen to
second place after Internet intrusions. Hacking over the Internet is simply
easier and more interesting for hackers.
This doesn't mean that the
dial-up vector has gone away; hackers with a specific target will employ any
available means to gain access.
Although the dial-up problem usually
means exploiting a modem attached to a RAS server, it also includes the
possibility of dialing into an individual computer with a modem set to answer
for the purpose of allowing remote access or remote control for the client. Many
organizations allow employees to remotely access their computers from home using
this method.
Containing the dial-up problem is conceptually easy: Put
your RAS servers outside your firewall, and force legitimate users to
authenticate with your firewall to gain access to resources inside. Allow no
device to answer a telephone line inside your firewall. This eliminates dial-up
as a vector by forcing it to work like any other Internet
connection
Internet
Internet intrusion is the most
available, most easily exploited, and most problematic vector of intrusion into
your network. The Internet will be the only true risk vector into your
network.
Direct Connection
Wireless, especially the
extremely popular 802.11b protocol that operates at 11Mbs and is nearly as cheap
as standard Ethernet adapters and hubs, has taken root in the corporate world
and grown like a weed. Based on the earlier and much less popular 802.11
standard, 802.11b allows administrators to attach wireless access points (WAPs)
to their network and allow roaming wireless users (usually attached to laptops)
to roam the premises without restriction. In another mode, two WAPs can be
pointed at one another to form a wireless bridge between buildings, which can
save companies tens of thousands of dollars in construction or circuit
costs.
802.11b came with much touted built-in encryption scheme called
the Wired-Equivalent Privacy(WEP) that promised to allow secure networking
without compromising security. It sounded great. Too bad it took less than 11
hours for researchers to hack. Nobody paid attention at first, so these same
researchers released software that automatically hacked it. WEP is so thoroughly
compromised at this point that it should be treated as a non-secure connection
from the Internet. All wireless devices should be placed on the public side of
your Internet, and users should have to authenticate with your
firewall.
This leaves just one remaining problem: Theft of service. You
can take a laptop down the sidewalks of San Francisco at this very moment and
authenticate with any one of over 800 (by a recent count published on Slashdot)
802.llb networks. While you might be outside the corporate firewall, if you're
just looking to browse the web, you're in luck. It's especially lucky if you're
a hacker looking to hide your trail behind someone else's IP
address.
End of PART 1
In this article we have discussed
the basic terms of ‘hacking’ and there basic attacks, in Part 2 we will discuss
about the common hacking techniques
Be first to comment this article
