Chapter 1 – Introduction

Chapter 1 – Introduction


1.1 History of Hacking & Hackers

Ø  Hacking has been around for more than a century. In the 1870s, several teenagers were flung off the country's brand new phone system by enraged authorities. Here's a peek at how busy hackers have been in the past 35 years.

Ø  Early 1960s
University facilities with huge mainframe computers, likeMIT's artificial intelligence lab, become staging grounds for hackers. At first, "hacker" was a positive term for a person with a mastery of computers who could push programs beyond what they were designed to do.

Ø  Early 1970s
John    Draper
John Draper makes a long-distance call for free by blowing a precise tone into a telephone that tells the phone system to open a line. Draper discovered the whistle as a give-away in a box of children's cereal. Draper, who later earns the handle "Captain Crunch," is arrested repeatedly for phone tampering throughout the 1970s.

Yippie social movement starts YIPL/TAP (Youth International Party Line/Technical Assistance Program) magazine to help phone hackers (called "phreaks") make free long-distance calls.

Two members of California's Homebrew Computer Club begin making "blue boxes," devices used to hack into the phone system. The members, who adopt handles "Berkeley Blue" (Steve Jobs) and "Oak Toebark" (Steve Wozniak), later go on to found Apple Computer.

Ø  Early 1980s
Author William Gibson coins the term "cyberspace" in a science fiction novel called Neuromancer.

In one of the first arrests of hackers, the FBI busts the Milwaukee-based 414s (named after the local area code) after members are accused of 60 computer break-insranging from Memorial Sloan-Kettering Cancer Center to Los Alamos National Laboratory.

     Comprehensive Crime Control Act givesSecret Service jurisdiction over credit card and computer      fraud.


Two hacker groups form, the Legion of Doomin the United States and the Chaos Computer Club in Germany.

2600: The Hacker Quarterly is founded to share tips on phone and computer hacking.

Ø  Late 1980s
The Computer Fraud and Abuse Act gives more clout to federal authorities.
Computer Emergency Response Team is formed by U.S. defense agencies. Based at Carnegie Mellon University in Pittsburgh, its mission is to investigate the growing volume of attacks on computer networks.
At 25, veteran hacker Kevin Mitnick secretly monitors the e-mail of MCI and Digital Equipment security officials. He is convicted of damaging computers and stealing software and is sentenced to one year in prison.

First National Bank of Chicago is the victim of a $70-million computer heist.

An Indiana hacker known as "Fry Guy" -- so named for hacking McDonald's -- is raided by law enforcement. A similar sweep occurs in Atlanta for Legion of Doomhackers known by the handles "Prophet," "Leftist" and "Urvile."

Ø  Early 1990s

After AT&T long-distance service crashes on Martin Luther King Jr. Day, law enforcement starts a national crackdown on hackers. The feds nab St. Louis' "Knight Lightning" and in New York grab Masters of Deception trio "Phiber Optik," " Acid Phreak" and "Scorpion." Fellow hacker "Eric Bloodaxe" is picked up in Austin, Texas.
Operation Sundevil, a special team of Secret Service agents and members of Arizona's organized crime unit,conducts raids in 12 major cities, including Miami.

A 17-month search ends in the capture of hacker Kevin Lee Poulsen ("Dark Dante"), who is indicted for stealing military documents.

Hackers break into Griffith Air Force Base, then pewwwte computers at NASA and the Korean Atomic Research Institute. Scotland Yard nabs "Data Stream," a 16-year-old British teenager who curls up in the fetal position when seized.

A Texas A&M professor receives death threats after a hacker logs on to his computer from off-campus and sends 20,000 racist e-mail messages using his Internet address.
Kevin Mitnick [photo / AP ]
In a highly publicized case,Kevin Mitnick is arrested (again), this time in Raleigh, N.C., after he is tracked down via computer by Tsutomu Shimomura at the San Diego Supercomputer Center.

Ø  Late 1990s
Hackers break into and defacefederal Web sites, including the U.S. Department of Justice, U.S. Air Force, CIA, NASA and others.
Report by the General Accounting Office finds Defense Department computers sustained 250,000 attacks by hackers in 1995 alone.
A Canadian hacker group called the Brotherhood, angry at hackers being falsely accused of electronically stalking a Canadian family, break into the Canadian Broadcasting Corp. Web site and leave message: "The media are liars." Family's own 15-year-old son eventually is identified as stalking culprit.
Hackers pierce security in Microsoft's NT operating system to illustrate its weaknesses.
Popular Internet search engine Yahoo! is hit by hackers claiming a "logic bomb" will go off in the PCs of Yahoo!'s users on Christmas Day 1997 unless Kevin Mitnick is released from prison. "There is no virus," Yahoo! spokeswoman Diane Hunt said.

Ø  1998
Anti-hacker ad runs during Super Bowl XXXII. The Network Associates ad, costing $1.3-million for 30 seconds, shows two Russian missile silo crewmenworrying that a computer order to launch missiles may have come from a hacker. They decide to blow up the world anyway.

In January, the federal Bureau of Labor Statistics is inundated for days with hundreds of thousands of fake information requests, a hacker attack called "spamming."

Hackers break into United Nation's Children Fund Web site, threatening a "holocaust" if Kevin Mitnick is not freed.

Hackers claim to have broken into a Pentagon network and stolen software for a military satellite system. They threaten to sell the software to terrorists.

The U.S. Justice Department unveils National Infrastructure Protection Center, which is given a mission to protect the nation's telecommunications, technology and transportation systems from hackers.

Hacker group L0pht, in testimony before Congress, warns it could shut down nationwide access to the Internet in less than 30 minutes. The group urges stronger security measures.

1.2 What is Information Security?

Definition - What does Information Security (IS) mean?


Information security (IS) is designed to protect the confidentiality, integrity and availability of computer system data from those with malicious intentions. Confidentiality, integrity and availability are sometimes referred to as the CIA Triad of information security. This triad has evolved into what is commonly termed the Parkerian hexad, which includes confidentiality, possession (or control), integrity, authenticity, availability and utility.

Techopedia explains Information Security (IS)

Information security handles risk management. Anything can act as a risk or a threat to the CIA triad or Parkerian hexad. Sensitive information must be kept - it cannot be changed, altered or transferred without permission. For example, a message could be modified during transmission by someone intercepting it before it reaches the intended recipient. Good cryptography tools can help mitigate this security threat.
Digital signatures can improve information security by enhancing authenticity processes and prompting individuals to prove their identity before they can gain access to computer data.


1.3  Hackers vs. Crackers


A cracker (also known as a black hat hacker) is an individual with extensive computer knowledge whose purpose is to breach or bypass internet security or gain access to software without paying royalties. The general view is that, while hackers build things, crackers break things. Cracker is the name given to hackers who break into computers for criminal gain; whereas, hackers can also be internet security experts hired to find vulnerabilities in systems. These hackers are also known as white hat hackers.  Crackers’ motivations can range from profit, a cause they believe in, general maliciousness or just because they like the challenge. They may steal credit card numbers, leave viruses, destroy files or collect personal information to sell.
Crackers can also refer to those who reverse engineer software and modify it for their own amusement.  The most common way crackers gain access to networks or systems is through social engineering, whereby the cracker contacts employees at a company and tricks them into divulging passwords and other information that allows a cracker to gain access.




1.4 Classification of Hackers

The term hacker hasn’t always been the negative title that it is today. A hacker originally described a person with a desire to learn about technology and to experiment and who was technically proficient with whatever systems they hacked.

The word predates personal computers; some of the first hackers were members of the Massachusetts Institute of Technology (MIT) Tech Model Railroading Club (TMRC) in the late 1950s. Students at MIT traditionally used the word hack to describe elaborate pranks that they played. Thus a hack came to mean something truly original, elegant, and ingenious. (To view a gallery of some of the most ingenious hacks at MIT visit http://hacks. mit, edu.)
You can find a more detailed description of the birth of hackers and hacking in Hackers, Heroes of the Computer Revolution by Steven Levy (Penguin USA, 2001).
There once was a time when being called a hacker was a sincere compliment of your technical abilities and problem solving skills. These days, largely due to the popular media, when people hear hacker, they wrongly think criminal. The tech community now distinguishes between hackers, who identify security flaws in order to improve computer systems, and crackers, who attempt to exploit those flaws to their own advantage. I use the term cracker to refer to computer criminals or people unethically exploiting systems.
 Hackers: The White Hats
Just like in the old Hollywood westerns, the good guys wear the white hats, at least metaphorically. White hat is a term often used to describe ethical hackers that stay entirely within the law. They never access a system or network illegally, and they work tirelessly to expose holes in systems with the ultimate goal of fixing flaws and improving security. Upon finding a flaw, a white hat will usually notify the software vendor and give the company a chance to patch the flaw before making the bug public knowledge.
White hats may be security professionals, hired by companies to audit network security or test software. Using the same software tools that crackers use, a white hat seeks to improve the security of his own network by proactively attacking it as a cracker would. White hats may even create software aimed at thwarting tools available to crackers. White hats can use tools such as the Fake AP to thwart wireless sniffers that crackers might use to discover wireless networks.
Knowing how a cracker operates enables a white hat to take steps to secure a network against likely avenues of attack. Although some ex-crackers work as security consultants, simply knowing how to crack a system doesn’t translate into being able to secure it. White hats don’t acquire their skills illegally. By demonstrating sound judgment and admirable ethics, they make a much better choice for companies looking to hire a security consultant.

Crackers: The Black Hats

Hackers refer to the computer world’s outlaws as black hats. The opposite of the white hat, a black hat or cracker breaks into systems illegality for personal gain, vandalism, or bragging rights. A cracker doesn’t need to be particularly knowledgeable or skillful; in fact, most of them aren’t. Few crackers are skilled enough to create their own software tools, so most rely on automated programs that they download from disreputable Web sites.
Because crackers know they are breaking the law, they do everything they can to cover their tracks. Fortunately, security professionals catch quite a few of them because the majority of crackers lack real skill. When the authorities do catch them, their skill with a computer is often greatly exaggerated to promote the agency making the arrest (and to sell newspapers and commercials).
Still, it’s important to acknowledge that crackers present a serious threat: Many are technically proficient and can cause a lot of damage, and many systems are so woefully insecure that even technically inept crackers can wreak havoc on them.

The most dangerous crackers

Although the majority of crackers are relatively unskilled, not all are inept. Some crackers have extensive training and advanced skills. Often these crackers work as programmers or IT consultants and learn the ins and outs of networks by administering them. They have in-depth knowledge of network programming and can create tools to exploit the weaknesses they discover. This programming skill is what separates them from less-skilled computer criminals. It also makes them more dangerous and harder to catch.
Often these crackers create tools that enable less-skilled criminals to subvert security and exploit weaknesses in computer systems. While skilled crackers are in the minority, they can’t be ignored. By creating tools and malicious software (viruses, worms) they act as a force-multiplier and create a greater problem than their numbers may indicate. When planning for security it is wise to take the more dangerous crackers into account and plan for a worst-case scenario.

Script kiddies, packet monkeys, and s’kiddiots

The most common type of cracker goes by many names: script kiddies, packet monkeys, s’kiddiots, lamers, warez d00dz (dudes), and wannabes. They lack any real technical ability and, for the most part, cannot even program. To thwart the security of systems, they rely on software tools created by others. They often use these tools without any real understanding of what the actual program does.
A common pastime for script kiddies is Web page defacement. They break into an insecure Web server and replace the home page of a site with a page of their own design. Due to their ineptitude and clumsiness, they are actually far less of a threat than the media (and government) claims. However, because script kiddies make great headlines, they are acknowledged by the press as hacker-geniuses.
One recent example of a script kiddy is the case of 18-year-old high school student Jeffrey Lee Parson. Authorities arrested Parson in August 2003 for creating a variant of the Blaster worm, dubbed Blaster.B. Parson, who went by the handle t33kid (teekid), created the variant by editing the code of the original Blaster worm without any understanding of what that code did. Luckily, due to his ineptitude, his version of the worm was less virulent than the original Blaster and did little damage in comparison. It’s amazing that it took the FBI as long as it did to catch him (two weeks). Parson modified the worm to connect to his personal Web site, where he openly provided other malicious software for download. Tracking Parson through registration information for his Web site was simple. Laughingly, the press and prosecutors dubbed him a computer genius, further illustrating the problem of sensationalism in computer crime reporting. (In fact, his mother went out of her way to tell the press he. “is not brilliant, he’s not a genius.”)
You can’t defend against a threat that you don’t understand, and promoting novice crackers as dire threats to national security doesn’t further the cause of public education on computer security.

Insider insight

Besides the ethical difference between the two, the major factor that separates hackers from the vast majority of crackers is an understanding of computer systems and the ability to create software. A real hacker can write code in one or more languages (C, C++, assembly, Java) and understands what that code does and why it works (or doesn’t). The majority of crackers have little programming ability, or none at all, and usually don’t understand how the tools they use work. If a machine gets hacked by a script kiddy, its usually because the administrator didn’t maintain the machine and apply patches for known vulnerabilities.
Many crackers use aliases online and hang out on Internet Relay Chat (IRC). Crackers like to brag about their exploits, share software, and organize on IRC and Usenet newsgroups. Often an alias can give you a good idea about whom you’re dealing with. If the alias is L0rd Death, Terminator, or Cyber God, then you’re probably not dealing with a secure, mature adult.
Script kiddies have their own language. Called 1331 (leet, short for elite), it has nothing to do with real hackers or the way they write and speak. 133t evolved separately from writing conventions in legitimate hacker Dom, which usually were influenced by the way users were required to write in older UNIX text editors, or from system commands. 133t evolved on the old BBS systems and later IRC and Usenet.

Gray Hats

Nothing is ever as black and white as we would like it to be, least of all human behavior. A gray hat is a name given to an otherwise ethical hacker who walks a fine line between legal and illegal hacking. Like white hats, gray hats find security holes and report them; but unlike white hats, they often publicize the flaw before giving the software developers a chance to fix the problem. Gray hats maintain that they are improving security by compelling companies to fix software.
Gray hats may also access computer systems without permission, with the intent to find and report flaws. While it’s better to have a gray hat finding holes in your network rather than a black hat, when you’re under attack you have no way of distinguishing between the two. In addition, in an attempt to thwart network security, a gray hat that means well may inadvertently cause damage. Skilled gray hats may produce software that exploits known flaws in systems, intending for network administrators and security professionals to use the program for network security testing. Unfortunately, even though this software can be very constructive, crackers can use it for less noble purposes.
Occasionally you may hear the term samurai hacker or Ronin. This refers to an independent white hat (or gray hat) security consultant hired to audit and improves security. Most samurai hackers claim to be loyal to their employers and to engage only in ethical cracking. The name samurai hacker derives from the fierce loyalty and high ethics associated with Japan’s samurai warriors.

Phreaks

A phreak is a hacker who specializes in phone systems. These days, however, phreaking is more of a cracker activity. At one time, phreaks were enthusiastic about telephone networks and simply wanted to understand how they worked and explore them. Ethical phreaks didn’t steal services or cause damage; they just used their technical skill to play with the system. Phone systems have changed and are less susceptible to technological hacks. As a result, modern phreaks intent on cracking the telecommunications systems often rely on criminal acts such as stealing phone cards and cloning cell phones.

Hacktivists

The hacktivist is a gray hat or cracker who defaces Web pages to bring attention to a political agenda or social cause. Companies, organizations, and governments that engage in controversial practices or that have unpopular policies are likely targets of hacktivists. How ethical this behavior is depends on whether or not you support the hactivist’s agenda or believe in his cause.
Being a hacktivist is not an indication of technical prowess. Often Web sites are hosted on servers with known security holes and can be defaced with automated tools. In the United Kingdom, a hacktivist with the alias Herbless went on a hacktivism spree in 2000, hacking the HSBC bank and government Web sites to protest fuel prices and the government’s stance on smoking. His defacement of the Web pages included an activist statement, as well as instructions for other hacktivists.
On one site, he left the following message for the administrator:
Note to the administrator:
You should really enforce stronger passwords.
I cracked 75% of your NT accounts in 16 seconds on my SMP Linux box.
Please note the only thing changed on this server is your index page, which has been backed up.
Nothing else has been altered.
Cyber wars between hacktivists on opposite sides of a political debate are becoming more common. Israeli hacktivists deface Arab sites, particularly Palestinian, and Arab hacktivists return fire. Indian and Pakistani hacktivists routinely hack Web pages from each other’s countries.
While hacktivism and Web page defacement may seem harmless when compared to other cyber crime, such as online credit card fraud, the damage done to the reputation of a company or agency can be considerable.



1.5 Phases of hacking 



Phase 1—Reconnaissance
Phase 2—Scanning
Phase 3—Gaining Access 
Phase 4—Maintaining Access 
Phase 5—Covering Tracks

Phase 1: Passive and Active Reconnaissance
Passive reconnaissance involves gathering information regarding a potential target without
the targeted individual’s or company’s knowledge. Passive reconnaissance can be as simple as
watching a building to identify what time employees enter the building and when they leave.
However, it’s usually done using Internet searches or by Googling an individual or company
to gain information. This process is generally called information gathering. Social engineering and dumpster divingare also considered passive information-gathering methods.
 
Sniffing the network is another means of passive reconnaissance and can yield useful information
such as IP address ranges, naming conventions, hidden servers or networks, and other
available services on the system or network. Sniffing network traffic is similar to building
monitoring: A hacker watches the flow of data to see what time certain transactions take place
and where the traffic is going.

Active reconnaissance involves probing the network to discover individual hosts, IP addresses,
and services on the network. This usually involves more risk of detection than passive reconnaissance
and is sometimes called rattling the doorknobs. Active reconnaissance can give a hacker an
indication of security measures in place (is the front door locked?), but the process also increases
the chance of being caught or at least raising suspicion.

Both passive and active reconnaissance can lead to the discovery of useful information to
use in an attack. For example, it’s usually easy to find the type of web server and the operating
system (OS) version number that a company is using. This information may enable a hacker
to find a vulnerability in that OS version and exploit the vulnerability to gain more access.
 
Phase 2: Scanning
Scanning
involves taking the information discovered during reconnaissance and using it to
examine the network. Tools that a hacker may employ during the scanning phase can include
dialers, port scanners, network mappers, sweepers, and vulnerability scanners. Hackers are
seeking any information that can help them perpetrate attack such as computer names, IP
addresses, and user accounts.

Phase 3: Gaining Access 
This is the phase where the real hacking takes place. Vulnerabilities discovered during the reconnaissance and scanning phase are now exploited to gain access. The method of connection the hacker uses for an exploit can be a local area network (LAN, either wired or wireless), local access to a PC, the Internet, or offline. Examples include stack-based buffer overflows, denial of service (DoS), and session hijacking. These topics will be discussed in later chapters. Gaining access is known in the hacker world as owning the system.

Phase 4: Maintaining Access
Once a hacker has gained access, they want to keep that access for future exploitation and
attacks. Sometimes, hackers harden the system from other hackers or security personnel by
securing their exclusive access with backdoors, rootkits, and Trojans. Once the hacker owns
the system, they can use it as a base to launch additional attacks. In this case, the owned system
is sometimes referred to as a zombie system.
 
Phase 5: Covering Tracks
Once hackers have been able to gain and maintain access, they cover their tracks to avoid
detection by security personnel, to continue to use the owned system, to remove evidence of
hacking, or to avoid legal action. Hackers try to remove all traces of the attack, such as log files
or intrusion detection system (IDS) alarms. Examples of activities during this phase of the
attack include steganography, the use of tunneling protocols, and altering log files.






No comments:

Post a Comment