Software bugs
Software always has bugs. System administrators and programmers can never track down and eliminate all possible software vulnerabilities. Attackers have to only find one hole to break in. Software bugs are often exploited in the server daemons, client applications, operating systems, and the network stack. Software bugs can be classified in the following manner:
Buffer overflows - Almost all the security holes you read about are due to this problem. A typical example is a programmer who sets aside 256 characters to hold a login username. However, if an attacker tries to enter in a false username longer than that you might have a problem. All the attacker has to do is send 300 characters, including code that will be executed by the server, and voila, game over. Hackers find these bugs in several ways. First, the source code for a lot of services is available on the net. Hackers routinely look through this code searching for programs that have buffer overflow problems. Secondly, hackers may look at the programs themselves to see if such a problem exists. Thirdly, hackers will examine every place the program has input and try to overflow it with random data. If the program crashes, there is a good chance that carefully constructed input will allow the attacker to gain access.
Unexpected combinations - Programs are usually constructed using many layers of code, including the underlying operating system as the bottom most layer. Attackers can often send input that is meaningless to one layer, but meaningful to another layer. The most common language for processing user input on the web is PERL. Programs written in PERL will usually send this input to other programs for further evaluation. A common hacking technique would be to enter something like "| mail < /etc/passwd". This gets executed because PERL asks the operating system to launch an additional program with that input. However, the operating system intercepts the pipe '|' character and launches the 'mail' program as well, which causes the password file to be emailed to the attacker. Race conditions - Most systems today are "multitasking/multithreaded". This means that they can execute more than one program at a time. There is a danger if two programs need to access the same data at the same time. Imagine two programs, ABC and XYZ, each program attempts to modify the same file. In order to modify a file, each program must first read the file into memory, change the contents in memory, then copy the memory back out into the file. The race condition occurs when program ABC reads the file into memory and then makes the change. However, before ABC gets to write the file, program XYZ steps in and does the full read/modify/write on the file. Now program ABC writes its copy back out to the file. Since program ABC started with a copy before XYZ made its changes, all of XYZ's changes will be lost. Since you need to get the sequence of events in just the right order, race conditions are very rare. Attackers usually attempt such actions thousands of times before they get it right, and gain access to the system.
Unexpected input - Most programs are written to handle valid input. Most programmers do not consider what happens when somebody enters input that doesn't match the specification.
System configuration bugs
Default configurations - Most systems are shipped to customers with default, easy-to-use configurations. Unfortunately, "easy-to-use" means "easy-to-break-in". Almost any UNIX or WinNT machine shipped to you can be hacked in easily.
Poor system administrator practices - A surprising number of machines are configured with an empty root/administrator password. This is because the administrator is too lazy to configure one right now and wants to get the machine up and running quickly with minimal fuss. Unfortunately, they never get around to fixing the password later, allowing attackers easy access. One of the first things an attacker will do on a network is to scan all machines for empty passwords.
Running unnecessary services - Virtually all programs can be configured to run in a non-secure mode. Sometimes administrators will inadvertently open a hole on a machine. Most administration guides will suggest that administrators turn off everything that doesn't absolutely positively need to run on a machine in order to avoid accidental holes. Note that security-auditing packages (such as Enterprise Security Manager from Symantec) can usually find these holes and notify the administrator.
Trust relationships - Attackers often "island hop" through the network exploiting trust relationships. A network of machines trusting each other is only as secure as its weakest link.
Password cracking
Easy-to-guess passwords - These are passwords where people use the names of themselves, their children, spouse/SO, pet, or car model as their password. Then there are the users who choose "password" or simply null passwords.
Dictionary attacks - With this attack, the attacker will use a program that will try every possible word in the dictionary. Dictionary attacks can be done either by repeatedly logging into systems, or by collecting encrypted passwords and attempting to find a match by similarly encrypting all the passwords in the dictionary. Attackers usually have a copy of the English dictionary as well as foreign language dictionaries for this purpose. They all use additional dictionary-like databases, such as names (see above) and lists of common passwords.
Brute force attacks - Similar to a Dictionary attack, an attacker may try all possible combinations of characters. A short 4-letter password consisting of lower-case letters can be cracked in just a few minutes. A long 7-character password consisting of upper and lower case, as well as numbers and punctuation can take months to crack assuming you can try a million combinations a second (in practice, a thousand combinations per second is more likely for a single machine).
Sniffing unsecured traffic
Shared medium - On traditional Ethernet, all you have to do is put a sniffer on the wire to see all the traffic on a segment. This is getting more difficult now that most corporations are transitioning to switched Ethernet.
Server sniffing - However, on switched networks, if you can install a sniffing program on a server (especially one acting as a router), you can probably use that information to break into client machines and trusted machines as well. For example, you might not know a user's password, but sniffing a Telnet session when they log in will give you that password.
Remote sniffing - A large number of boxes come with RMON enabled and public community strings. While the bandwidth is really low (you can't sniff all the traffic), it presents interesting possibilities.
Design flaws
Even if a software implementation is completely correct according to the design, there still may be bugs in the design itself that leads to intrusions.
TCP/IP protocol flaws - The TCP/IP protocol was designed before we had much experience with the wide-scale hacking we see today. As a result, there are a number of design flaws that lead to possible security problems. Some examples include smurf attacks, ICMP Unreachable disconnects, IP spoofing, and SYN floods. The biggest problem is that the IP protocol itself is very "trusting": hackers are free to forge and change IP data with impunity. IPsec (IP security) has been designed to overcome many of these flaws, but it is not yet widely used.
UNIX design flaws - There are number of inherent flaws in the UNIX operating system that frequently lead to intrusions. The chief problem is the access control system, where only 'root' is granted administrative rights.
ending
Thursday, March 6, 2008
Friday, February 29, 2008
Intrusion Techniques
These are the primary ways an attacker can get into a system:
Physical Intrusion - If an attacker has physical access to a machine (i.e. they can use the keyboard or take apart the system), they will be able to get in. Techniques range from special privileges the console has, to the ability to physically take apart the system and remove the disk drive (and read/write it on another machine).
System Intrusion - This type of hacking assumes the attacker already has a low-privilege user account on the system. If the system doesn't have the latest security patches, there is a good chance the attacker will be able to use a known exploit in order to gain additional administrative privileges.
Remote Intrusion - This type of hacking involves an attacker who attempts to penetrate a system remotely across the network. The attacker begins with no special privileges. There are several forms of this type of hacking. Note that Network Intrusion Detection Systems are primarily concerned with Remote Intrusion.
Attacker Profiles
There are two words to describe the attacker: hacker and attacker. A hacker is a generic term for a person who likes getting into things. The benign hacker is the person who likes to get into his/her own computer and understand how it works. The malicious hacker is the person who likes getting into other people's systems. The benign hackers wish that the media would stop bad-mouthing all hackers and use the term 'attacker' instead. Unfortunately, this is not likely to happen. In any event, the word used to denote anybody trying to get into your system in this paper is 'attacker'.
Attackers can be classified into two categories.
Outsiders
These are attackers from outside your network attempting to attack you external presence (deface web servers, forward spam through e-mail servers, etc.). They may also attempt to go around the firewall to attack machines on the internal network. Outside attackers may come from the Internet, dial-up lines, physical break-ins, or from partner (vendor, customer, reseller, etc.) network that is linked to your corporate network.
Insiders
These are attackers that have legitimate reasons to use/access your internal network. These include users who misuse privileges or who impersonate higher privileged users. A frequently quoted statistic cites that insiders commit 80% of security breaches.
Attackers can be classified into two categories.
Outsiders
These are attackers from outside your network attempting to attack you external presence (deface web servers, forward spam through e-mail servers, etc.). They may also attempt to go around the firewall to attack machines on the internal network. Outside attackers may come from the Internet, dial-up lines, physical break-ins, or from partner (vendor, customer, reseller, etc.) network that is linked to your corporate network.
Insiders
These are attackers that have legitimate reasons to use/access your internal network. These include users who misuse privileges or who impersonate higher privileged users. A frequently quoted statistic cites that insiders commit 80% of security breaches.
Thursday, February 14, 2008
Hacking: The Basics
Introduction
An intrusion can be defined as an attempt to break into or misuse a computer system. The word "misuse" is broad, and can reflect meaning to something as severe as stealing confidential data to something as minor such as misusing your email system for spam. Today, both the Internet and corporate intranets are simply crawling with people from all walks of life that are continuously trying to test the security of various systems and networks. Some of these people are seeking some sort of intellectual high, while others are fueled by more treacherous motives such as revenge or stealing for profit. In any event, no intrusion is innocent and no intrusion is benign. There is no silver bullet available out there that will totally secure our networks and systems. The only thing that we can do as IT professionals is make sure all of the doors are locked, the alarm is turned on, and educate ourselves on what to look for. The primary focus of this practical paper is to educate the less security conscious IT professionals and end-users on exactly who is out there and what they are doing to get in. By attempting to establish this baseline of security knowledge we essentially extend the arm of IT security to include the very users who today present the greatest danger: the uneducated user.
Subscribe to:
Posts (Atom)
