Chapter 1 – Introduction
1.1 History of Hacking &
Hackers
Ø Hacking has been around for more than a century.
In the 1870s, several teenagers were flung off the country's brand new phone
system by enraged authorities. Here's a peek at how busy hackers have been in
the past 35 years.
Ø Early 1960s
University facilities with huge mainframe
computers, likeMIT's artificial intelligence lab, become staging
grounds for hackers. At first, "hacker" was a positive term for a
person with a mastery of computers who could push programs beyond what they
were designed to do.
Ø Early 1970s
John Draper
|
John Draper makes a long-distance call for free by blowing a precise
tone into a telephone that tells the phone system to open a line. Draper
discovered the whistle as a give-away in a box of children's cereal. Draper,
who later earns the handle "Captain Crunch," is arrested repeatedly
for phone tampering throughout the 1970s.
Yippie social movement starts YIPL/TAP (Youth
International Party Line/Technical Assistance Program) magazine to help phone
hackers (called "phreaks") make free long-distance calls.
Two members of California's Homebrew
Computer Club begin making "blue boxes," devices used to
hack into the phone system. The members, who adopt handles "Berkeley
Blue" (Steve Jobs) and "Oak Toebark" (Steve Wozniak), later go
on to found Apple Computer.
Ø Early 1980s
Author William Gibson coins the
term "cyberspace" in a science fiction novel called Neuromancer.
In one of the first arrests of hackers, the FBI
busts the Milwaukee-based 414s (named after the local area code) after members
are accused of 60 computer break-insranging from Memorial
Sloan-Kettering Cancer Center to Los Alamos National Laboratory.
Comprehensive Crime Control Act givesSecret
Service jurisdiction over credit card and computer fraud.
Two hacker groups form, the Legion of
Doomin the United States and the Chaos Computer Club in
Germany.
2600: The Hacker Quarterly is founded to share tips on phone and
computer hacking.
Ø Late 1980s
The Computer Fraud and Abuse Act gives
more clout to federal authorities.
Computer Emergency Response Team is formed by U.S. defense agencies. Based
at Carnegie Mellon University in Pittsburgh, its mission is to investigate the
growing volume of attacks on computer networks.
At 25, veteran hacker Kevin Mitnick secretly
monitors the e-mail of MCI and Digital Equipment security officials. He is
convicted of damaging computers and stealing software and is sentenced to one year
in prison.
First National Bank of Chicago is the victim of
a $70-million computer heist.
An Indiana hacker known as "Fry
Guy" -- so named for hacking McDonald's -- is raided by law
enforcement. A similar sweep occurs in Atlanta for Legion of Doomhackers
known by the handles "Prophet," "Leftist" and
"Urvile."
Ø Early 1990s
After AT&T long-distance
service crashes on Martin Luther King Jr. Day, law enforcement starts a national
crackdown on hackers. The feds nab St. Louis' "Knight
Lightning" and in New York grab Masters of Deception trio "Phiber
Optik," " Acid Phreak" and "Scorpion." Fellow hacker
"Eric Bloodaxe" is picked up in Austin, Texas.
Operation Sundevil, a special team of Secret Service
agents and members of Arizona's organized crime unit,conducts raids in
12 major cities, including Miami.
A 17-month search ends in the capture of hacker Kevin
Lee Poulsen ("Dark Dante"), who is indicted for stealing
military documents.
Hackers break into Griffith Air Force
Base, then pewwwte computers at NASA and the Korean
Atomic Research Institute. Scotland Yard nabs "Data Stream,"
a 16-year-old British teenager who curls up in the fetal position when seized.
A Texas A&M professor receives death
threats after a hacker logs on to his computer from off-campus and
sends 20,000 racist e-mail messages using his Internet address.
 |
Kevin Mitnick [photo / AP ]
|
In a highly publicized case,Kevin Mitnick is
arrested (again), this time in Raleigh, N.C., after he is tracked down via
computer by Tsutomu Shimomura at the San Diego Supercomputer
Center.
Ø Late 1990s
Hackers break into and defacefederal Web
sites, including the U.S. Department of Justice, U.S. Air Force, CIA,
NASA and others.
Report by the General Accounting Office finds
Defense Department computers sustained 250,000 attacks by
hackers in 1995 alone.
A Canadian hacker group called the Brotherhood,
angry at hackers being falsely
accused of electronically stalking a Canadian family, break into the Canadian
Broadcasting Corp. Web site and leave message: "The media are liars." Family's own 15-year-old son eventually is
identified as stalking culprit.
Hackers pierce security in Microsoft's NT operating system to illustrate its weaknesses.
Popular Internet search engine Yahoo! is hit by
hackers claiming a "logic bomb" will go off in the PCs of Yahoo!'s users on
Christmas Day 1997 unless Kevin Mitnick is released from prison. "There is
no virus," Yahoo! spokeswoman Diane Hunt said.
Ø 1998
Anti-hacker ad runs during Super Bowl XXXII. The
Network Associates ad, costing $1.3-million for 30 seconds, shows two Russian missile silo crewmenworrying that a computer order to launch
missiles may have come from a hacker. They decide to blow up the world anyway.
In January, the federal Bureau of Labor
Statistics is inundated for days with hundreds of thousands of fake information requests, a hacker attack called "spamming."
Hackers break into United Nation's Children Fund Web site, threatening a "holocaust" if
Kevin Mitnick is not freed.
Hackers claim to have broken into a Pentagon
network and stolen software for a military satellite system. They threaten to sell the software to
terrorists.
The U.S. Justice Department unveils National Infrastructure Protection Center, which is given a mission to protect the nation's
telecommunications, technology and transportation systems from hackers.
Hacker group L0pht, in testimony before
Congress, warns it could shut down nationwide
access to the Internet in less than 30 minutes.
The group urges stronger security measures.
1.2 What is Information Security?
Definition - What does Information Security (IS) mean?
Information security (IS) is designed to protect the
confidentiality, integrity and availability of computer system data from those
with malicious intentions. Confidentiality, integrity and availability are
sometimes referred to as the CIA Triad of information security. This triad has
evolved into what is commonly termed the Parkerian hexad, which includes
confidentiality, possession (or control), integrity, authenticity, availability
and utility.
Techopedia explains Information Security (IS)
Information security handles risk management. Anything
can act as a risk or a threat to the CIA triad or Parkerian hexad. Sensitive
information must be kept - it cannot be changed, altered or transferred without
permission. For example, a message could be modified during transmission by
someone intercepting it before it reaches the intended recipient. Good
cryptography tools can help mitigate this security threat.
Digital signatures can improve information security by
enhancing authenticity processes and prompting individuals to prove their
identity before they can gain access to computer data.
1.3 Hackers vs. Crackers
A cracker
(also known as a black hat hacker) is an individual with extensive computer
knowledge whose purpose is to breach or bypass internet security or gain
access to software without paying royalties. The general view is that, while
hackers build things, crackers break things. Cracker is the name given to
hackers who break into computers for criminal gain; whereas, hackers can also
be internet security experts hired to find vulnerabilities in systems. These
hackers are also known as white hat hackers. Crackers’ motivations can
range from profit, a cause they believe in, general maliciousness or just
because they like the challenge. They may steal credit card numbers, leave
viruses, destroy files or collect personal information to sell.
Crackers
can also refer to those who reverse engineer software and modify it for their
own amusement. The most common way crackers gain access to networks or
systems is through social engineering, whereby the cracker contacts employees
at a company and tricks them into divulging passwords and other information
that allows a cracker to gain access.
1.4 Classification of Hackers
The term hacker hasn’t always been the
negative title that it is today. A hacker originally described a person with a
desire to learn about technology and to experiment and who was technically
proficient with whatever systems they hacked.
The word predates personal
computers; some of the first hackers were members of the Massachusetts
Institute of Technology (MIT) Tech Model Railroading Club (TMRC) in the late
1950s. Students at MIT traditionally used the word hack to describe
elaborate pranks that they played. Thus a hack came to mean something
truly original, elegant, and ingenious. (To view a gallery of some of the most
ingenious hacks at MIT visit http://hacks. mit, edu.)
You can find a more detailed
description of the birth of hackers and hacking in Hackers, Heroes of the
Computer Revolution by Steven Levy (Penguin USA, 2001).
There once was a time when being
called a hacker was a sincere compliment of your technical abilities and
problem solving skills. These days, largely due to the popular media, when
people hear hacker, they wrongly think criminal. The tech community now distinguishes between hackers, who
identify security flaws in order to improve computer systems, and crackers, who
attempt to exploit those flaws to their own advantage. I use the term
cracker to refer to computer criminals or people unethically exploiting
systems.
Hackers: The White Hats
Just like in the old Hollywood
westerns, the good guys wear the white hats, at least
metaphorically. White hat is a term often used to describe ethical hackers
that stay entirely within the law. They never access a system or network
illegally, and they work tirelessly to expose holes in systems with the
ultimate goal of fixing flaws and improving security. Upon finding a flaw,
a white hat will usually notify the software vendor and give the company a
chance to patch the flaw before making the bug public knowledge.
White hats may be security
professionals, hired by companies to audit network security or test
software. Using the same software tools that crackers use, a white hat
seeks to improve the security of his own network by proactively attacking it as
a cracker would. White hats may even create software aimed at thwarting
tools available to crackers. White hats can use tools such as the Fake AP
to thwart wireless sniffers that crackers might use to discover wireless
networks.
Knowing how a cracker operates
enables a white hat to take steps to secure a network against likely avenues of
attack. Although some ex-crackers work as security consultants, simply
knowing how to crack a system doesn’t translate into being able to secure
it. White hats don’t acquire their skills illegally. By demonstrating
sound judgment and admirable ethics, they make a much better choice for
companies looking to hire a security consultant.
Crackers: The Black Hats
Hackers refer to the computer
world’s outlaws as black hats. The opposite of the white hat, a black hat
or cracker breaks into systems illegality for personal gain, vandalism, or
bragging rights. A cracker doesn’t need to be particularly knowledgeable
or skillful; in fact, most of them aren’t. Few crackers are skilled enough
to create their own software tools, so most rely on automated programs that
they download from disreputable Web sites.
Because crackers know they are
breaking the law, they do everything they can to cover their
tracks. Fortunately, security professionals catch quite a few of them
because the majority of crackers lack real skill. When the authorities do
catch them, their skill with a computer is often greatly exaggerated to promote
the agency making the arrest (and to sell newspapers and commercials).
Still, it’s important to
acknowledge that crackers present a serious threat: Many are technically
proficient and can cause a lot of damage, and many systems are so woefully
insecure that even technically inept crackers can wreak havoc on them.
The most dangerous crackers
Although the majority of crackers
are relatively unskilled, not all are inept. Some crackers have extensive
training and advanced skills. Often these crackers work as programmers or
IT consultants and learn the ins and outs of networks by administering them. They
have in-depth knowledge of network programming and can create tools to exploit
the weaknesses they discover. This programming skill is what separates
them from less-skilled computer criminals. It also makes them more
dangerous and harder to catch.
Often these crackers create tools
that enable less-skilled criminals to subvert security and exploit weaknesses
in computer systems. While skilled crackers are in the minority, they
can’t be ignored. By creating tools and malicious software (viruses, worms)
they act as a force-multiplier and create a greater problem than their numbers
may indicate. When planning for security it is wise to take the more
dangerous crackers into account and plan for a worst-case scenario.
Script kiddies, packet monkeys, and s’kiddiots
The most common type of cracker
goes by many names: script kiddies, packet monkeys, s’kiddiots, lamers, warez
d00dz (dudes), and wannabes. They lack any real technical ability and, for
the most part, cannot even program. To thwart the security of systems,
they rely on software tools created by others. They often use these tools
without any real understanding of what the actual program does.
A common pastime for script
kiddies is Web page defacement. They break into an insecure Web server and
replace the home page of a site with a page of their own design. Due to
their ineptitude and clumsiness, they are actually far less of a threat than
the media (and government) claims. However, because script kiddies make
great headlines, they are acknowledged by the press as hacker-geniuses.
One recent example of a script
kiddy is the case of 18-year-old high school student Jeffrey Lee
Parson. Authorities arrested Parson in August 2003 for creating a variant
of the Blaster worm,
dubbed Blaster.B. Parson, who went by the handle t33kid (teekid), created the
variant by editing the code of the original Blaster worm without any
understanding of what that code did. Luckily, due to his ineptitude, his
version of the worm was less virulent than the original Blaster and did little
damage in comparison. It’s amazing that it took the FBI as long as it did
to catch him (two weeks). Parson modified the worm to connect to his
personal Web site, where he openly provided other malicious software for
download. Tracking Parson through registration information for his Web
site was simple. Laughingly, the press and prosecutors dubbed him a
computer genius, further illustrating the problem of sensationalism in computer
crime reporting. (In fact, his mother went out of her way to tell the press he.
“is not brilliant, he’s not a genius.”)
You can’t defend against a threat
that you don’t understand, and promoting novice crackers as dire threats to
national security doesn’t further the cause of public education on computer
security.
Insider insight
Besides the ethical difference
between the two, the major factor that separates hackers from the vast majority
of crackers is an understanding of computer systems and the ability to create
software. A real hacker can write code in one or more languages (C, C++,
assembly, Java) and understands what that code does and why it works (or
doesn’t). The majority of crackers have little programming ability, or
none at all, and usually don’t understand how the tools they use work. If
a machine gets hacked by a script kiddy, its usually because the administrator
didn’t maintain the machine and apply patches for known vulnerabilities.
Many crackers use aliases online
and hang out on Internet Relay Chat (IRC). Crackers like to brag about
their exploits, share software, and organize on IRC and Usenet
newsgroups. Often an alias can give you a good idea about whom you’re
dealing with. If the alias is L0rd Death, Terminator, or Cyber God, then
you’re probably not dealing with a secure, mature adult.
Script kiddies have their own
language. Called 1331 (leet, short for elite), it has nothing to do with
real hackers or the way they write and speak. 133t evolved separately from
writing conventions in legitimate hacker Dom, which usually were influenced by
the way users were required to write in older UNIX text editors, or from system
commands. 133t evolved on the old BBS systems and later IRC and Usenet.
Gray Hats
Nothing is ever as black and
white as we would like it to be, least of all human behavior. A gray hat
is a name given to an otherwise ethical hacker who walks a fine line between
legal and illegal hacking. Like white hats, gray hats find security holes
and report them; but unlike white hats, they often publicize the flaw before
giving the software developers a chance to fix the problem. Gray hats
maintain that they are improving security by compelling companies to fix
software.
Gray hats may also access
computer systems without permission, with the intent to find and report
flaws. While it’s better to have a gray hat finding holes in your network
rather than a black hat, when you’re under attack you have no way of distinguishing
between the two. In addition, in an attempt to thwart network security, a
gray hat that means well may inadvertently cause damage. Skilled gray hats
may produce software that exploits known flaws in systems, intending for
network administrators and security professionals to use the program for
network security testing. Unfortunately, even though this software can be
very constructive, crackers can use it for less noble purposes.
Occasionally you may hear the
term samurai hacker or Ronin. This refers to an independent white hat (or
gray hat) security consultant hired to audit and improves security. Most
samurai hackers claim to be loyal to their employers and to engage only in
ethical cracking. The name samurai hacker derives from the fierce loyalty
and high ethics associated with Japan’s samurai warriors.
Phreaks
A phreak is a hacker who
specializes in phone systems. These days, however, phreaking is more of a
cracker activity. At one time, phreaks were enthusiastic about telephone
networks and simply wanted to understand how they worked and explore
them. Ethical phreaks didn’t steal services or cause damage; they just
used their technical skill to play with the system. Phone systems have
changed and are less susceptible to technological hacks. As a result, modern
phreaks intent on cracking the telecommunications systems often rely on
criminal acts such as stealing phone cards and cloning cell phones.
Hacktivists
The hacktivist is a gray hat or
cracker who defaces Web pages to bring attention to a political agenda or
social cause. Companies, organizations, and governments that engage in
controversial practices or that have unpopular policies are likely targets of
hacktivists. How ethical this behavior is depends on whether or not you
support the hactivist’s agenda or believe in his cause.
Being a hacktivist is not an indication of technical
prowess. Often Web sites are hosted on servers with known security holes
and can be defaced with automated tools. In the United Kingdom, a
hacktivist with the alias Herbless went on a hacktivism spree in 2000, hacking
the HSBC bank and government Web sites to protest fuel prices and the
government’s stance on smoking. His defacement of the Web pages included
an activist statement, as well as instructions for other hacktivists.
On one site, he left the
following message for the administrator:
Note to the
administrator:
You should really
enforce stronger passwords.
I cracked 75% of your NT
accounts in 16 seconds on my SMP Linux box.
Please note the only
thing changed on this server is your index page, which has been backed up.
Nothing else has been
altered.
Cyber wars between hacktivists on opposite sides
of a political debate are becoming more common. Israeli hacktivists deface
Arab sites, particularly Palestinian, and Arab hacktivists return
fire. Indian and Pakistani hacktivists routinely hack Web pages from each
other’s countries.
While hacktivism and Web page
defacement may seem harmless when compared to other cyber crime, such as online
credit card fraud, the damage done to the reputation of a company or agency can
be considerable.
1.5 Phases
of hacking
Phase
1—Reconnaissance
Phase 2—Scanning
Phase 2—Scanning
Phase
3—Gaining Access
Phase
4—Maintaining Access
Phase
5—Covering Tracks
Phase
1: Passive and Active Reconnaissance
Passive reconnaissance involves gathering information regarding a potential target without
the targeted individual’s or company’s knowledge. Passive reconnaissance can be as simple as
watching a building to identify what time employees enter the building and when they leave.
However, it’s usually done using Internet searches or by Googling an individual or company
to gain information. This process is generally called information gathering. Social engineering and dumpster divingare also considered passive information-gathering methods.
Passive reconnaissance involves gathering information regarding a potential target without
the targeted individual’s or company’s knowledge. Passive reconnaissance can be as simple as
watching a building to identify what time employees enter the building and when they leave.
However, it’s usually done using Internet searches or by Googling an individual or company
to gain information. This process is generally called information gathering. Social engineering and dumpster divingare also considered passive information-gathering methods.
Sniffing
the network is
another means of passive reconnaissance and can yield useful information
such as IP address ranges, naming conventions, hidden servers or networks, and other
available services on the system or network. Sniffing network traffic is similar to building
monitoring: A hacker watches the flow of data to see what time certain transactions take place
and where the traffic is going.
such as IP address ranges, naming conventions, hidden servers or networks, and other
available services on the system or network. Sniffing network traffic is similar to building
monitoring: A hacker watches the flow of data to see what time certain transactions take place
and where the traffic is going.
Active reconnaissance involves probing the network to discover individual hosts, IP addresses,
and services on the network. This usually involves more risk of detection than passive reconnaissance
and is sometimes called rattling the doorknobs. Active reconnaissance can give a hacker an
indication of security measures in place (is the front door locked?), but the process also increases
the chance of being caught or at least raising suspicion.
Both passive and active reconnaissance can lead to the discovery of useful information to
use in an attack. For example, it’s usually easy to find the type of web server and the operating
system (OS) version number that a company is using. This information may enable a hacker
to find a vulnerability in that OS version and exploit the vulnerability to gain more access.
Phase
2: Scanning
Scanning
involves taking the information discovered during reconnaissance and using it to
examine the network. Tools that a hacker may employ during the scanning phase can include
dialers, port scanners, network mappers, sweepers, and vulnerability scanners. Hackers are
seeking any information that can help them perpetrate attack such as computer names, IP
addresses, and user accounts.
Scanning
involves taking the information discovered during reconnaissance and using it to
examine the network. Tools that a hacker may employ during the scanning phase can include
dialers, port scanners, network mappers, sweepers, and vulnerability scanners. Hackers are
seeking any information that can help them perpetrate attack such as computer names, IP
addresses, and user accounts.
Phase
3: Gaining Access
This
is the phase where the real hacking takes place. Vulnerabilities discovered
during the reconnaissance and scanning phase are now exploited to gain access.
The method of connection the hacker uses for an exploit can be a local area
network (LAN, either wired or wireless), local access to a PC, the Internet, or
offline. Examples include stack-based buffer overflows, denial of service
(DoS), and session hijacking. These topics will be discussed in later chapters.
Gaining access is known in the hacker world as owning the system.
Phase
4: Maintaining Access
Once a hacker has gained access, they want to keep that access for future exploitation and
attacks. Sometimes, hackers harden the system from other hackers or security personnel by
securing their exclusive access with backdoors, rootkits, and Trojans. Once the hacker owns
the system, they can use it as a base to launch additional attacks. In this case, the owned system
is sometimes referred to as a zombie system.
Once a hacker has gained access, they want to keep that access for future exploitation and
attacks. Sometimes, hackers harden the system from other hackers or security personnel by
securing their exclusive access with backdoors, rootkits, and Trojans. Once the hacker owns
the system, they can use it as a base to launch additional attacks. In this case, the owned system
is sometimes referred to as a zombie system.
Phase
5: Covering Tracks
Once
hackers have been able to gain and maintain access, they cover their tracks to
avoid
detection by security personnel, to continue to use the owned system, to remove evidence of
hacking, or to avoid legal action. Hackers try to remove all traces of the attack, such as log files
or intrusion detection system (IDS) alarms. Examples of activities during this phase of the
attack include steganography, the use of tunneling protocols, and altering log files.
detection by security personnel, to continue to use the owned system, to remove evidence of
hacking, or to avoid legal action. Hackers try to remove all traces of the attack, such as log files
or intrusion detection system (IDS) alarms. Examples of activities during this phase of the
attack include steganography, the use of tunneling protocols, and altering log files.
No comments:
Post a Comment