Chapter 8

Malicious Code and Application Attacks

THE CISSP EXAM TOPICS COVERED IN THIS CHAPTER INCLUDE:

• Operations Security
  • Prevent or respond to attacks (e.g., malicious code, zero-day exploit, denial of service)
  • Implement and support patch and vulnerability management

• Application Development Security
  • Understand the application environment and security controls
    • Security of the application environment; security issues of programming languages; security issues in source code (e.g., buffer overflow)

In previous chapters, you learned about many general security principles and the policy and procedure mechanisms that help security practitioners develop adequate protection against malicious individuals. This chapter takes an in-depth look at some of the specific threats faced on a daily basis by administrators in the field.

This material is not only critical for the CISSP exam, but it’s also some of the most basic information a computer security professional must understand to effectively practice their trade. We’ll begin this chapter by looking at the risks posed by malicious code objects—viruses, worms, logic bombs, and Trojan horses. We’ll then take a look at some of the other security exploits used by someone attempting to gain unauthorized access to a system or to prevent legitimate users from gaining such access.

Malicious Code

Malicious code objects include a broad range of programmed computer security threats that exploit various network, operating system, software, and physical security vulnerabilities to spread malicious payloads to computer systems. Some malicious code objects, such as computer viruses and Trojan horses, depend upon irresponsible computer use by humans in order to spread from system to system with any success. Other objects, such as worms, spread rapidly among vulnerable systems under their own power.

All computer security practitioners must be familiar with the risks posed by the various types of malicious code objects so they can develop adequate countermeasures to protect the systems under their care as well as implement appropriate responses if their systems are compromised.

Sources

Where does malicious code come from? In the early days of computer security, malicious code writers were extremely skilled (albeit misguided) software developers who took pride in carefully crafting innovative malicious code techniques. Indeed, they actually served a somewhat useful function by exposing security holes in popular software packages and operating systems, raising the security awareness of the computing community. For an example of this type of code writer, see the sidebar “RTM and the Internet Worm” later in this chapter.

Modern times have given rise to the script kiddie—the malicious individual who doesn’t understand the technology behind security vulnerabilities but downloads ready-to-use software (or scripts) from the Internet and uses them to launch attacks against remote systems. This trend gave birth to a new breed of virus creation software that allows anyone with a minimal level of technical expertise to create a virus and unleash it upon the Internet. This is reflected in the large number of viruses documented by antivirus experts to date. The amateur malicious code developers are usually just experimenting with the new tool they downloaded or attempting to cause problems for one or two enemies. Unfortunately, the malware sometimes spread rapidly and cause problems for Internet users in general. In addition, the tools used by script kiddies are freely available to those with more sinister criminal intent. Indeed, many in law enforcement believe that international organized crime syndicates may now play a role in malware proliferation. These criminals, located in countries with weak law enforcement mechanisms, use malware to steal the money and identities of people from around the world, especially residents of the United States.

Viruses

The computer virus is perhaps the earliest form of malicious code to plague security administrators. Indeed, viruses are so prevalent nowadays that major outbreaks receive attention from the mass media and provoke mild hysteria among average computer users. According to Symantec, one of the major antivirus software vendors, there were over 1.1 million strains of viruses roaming the global network in 2008. Hundreds of thousands of variations of these viruses strike unsuspecting computer users each day. Many carry malicious payloads that cause damage ranging in scope from displaying a profane message on the screen all the way to causing complete destruction of all data stored on the local hard drive.

As with biological viruses, computer viruses have two main functions—propagation and destruction. Miscreants who create viruses carefully design code to implement these functions in new and innovative methods that they hope escape detection and bypass increasingly sophisticated antivirus technology. It’s fair to say that an arms race has developed between virus writers and antivirus technicians, each hoping to develop technology one step ahead of the other. The propagation function defines how the virus will spread from system to system, infecting each machine it leaves in its wake. A virus’s payload delivers the destructive power by implementing whatever malicious activity the virus writer had in mind. This could be anything that negatively impacts the confidentiality, integrity, or availability of systems or data.

Virus Propagation Techniques

By definition, a virus must contain technology that enables it to spread from system to system, aided by unsuspecting computer users seeking to share data by exchanging disks, sharing networked resources, sending electronic mail, or using some other means. Once they’ve “touched” a new system, they use one of several propagation techniques to infect the new victim and expand their reach. In the following sections, we’ll look at three common propagation techniques: master boot record infection, file infection, and macro infection.

Master Boot Record Viruses

The master boot record virus (or MBR virus) is one of the earliest known forms of virus infection. These viruses attack the MBR, the portion of bootable media (such as a hard drive, floppy disk, or CD/DVD) that the computer uses to load the operating system during the boot process. Because the MBR is extremely small (usually 512 bytes), it can’t contain all the code required to implement the virus’s propagation and destructive functions. To bypass this space limitation, MBR viruses store the majority of their code on another portion of the storage media. When the system reads the infected MBR, the virus instructs it to read and execute the code stored in this alternate location, thereby loading the entire virus into memory and potentially triggering the delivery of the virus’s payload.

Most MBR viruses are spread between systems through the use of infected media inadvertently shared between users. If the infected media is in the drive during the boot process, the target system reads the infected MBR, and the virus loads into memory, infects the MBR on the target system’s hard drive, and spreads its infection to yet another machine.

File Infector Viruses

Many viruses infect different types of executable files and trigger when the operating system attempts to execute them. For Windows-based systems, the names of these files end with .exe and .com extensions. The propagation routines of file infector viruses may slightly alter the code of an executable program, therefore implanting the technology the virus needs to replicate and damage the system. In some cases, the virus might actually replace the entire file with an infected version. Standard file infector viruses that do not use cloaking techniques such as stealth or encryption (see the section “Virus Technologies” later in this chapter) are often easily detected by comparing file characteristics (such as size and modification date) before and after infection or by comparing hash values. The section “Antivirus Mechanisms” provides technical details behind these techniques.

A variation of the file infector virus is the companion virus. These viruses are self-contained executable files that escape detection by using a filename similar to, but slightly different from, a legitimate operating system file. They rely on the default filename extensions that Windows-based operating systems append to commands when executing program files (.com, .exe, and .bat, in that order). For example, if you had a program on your hard disk named GAME.EXE, a companion virus might use the name GAME.COM. If you then open a Command tool and simply type GAME, the operating system would execute the virus file, GAME.COM, instead of the file you actually intended to execute, GAME.EXE. This is a very good reason to avoid shortcuts and fully specify the name of the file you want to execute.

Macro Viruses

Many common software applications implement some sort of scripting functionality to assist with the automation of repetitive tasks. These functionalities often use simple, yet powerful, programming languages such as Visual Basic for Applications (VBA). Although macros do indeed offer great productivity-enhancing opportunities to computer users, they also expose systems to yet another avenue of infection—macro viruses.

Macro viruses first appeared on the scene in the mid-1990s, utilizing crude technologies to infect documents created in the popular Microsoft Word environment. Although they were relatively unsophisticated, these viruses spread rapidly because the antivirus community didn’t anticipate them, and therefore, antivirus applications didn’t provide any defense against them. Macro viruses quickly became more and more commonplace, and vendors rushed to modify their antivirus platforms to scan application documents for malicious macros. In 1999, the Melissa virus spread through the use of a Word document that exploited a security vulnerability in Microsoft Outlook to replicate. The infamous I Love You virus quickly followed on its heels, exploiting similar vulnerabilities in early 2000.

Although the vast majority of macro viruses infect documents created by applications belonging to the Microsoft Office suite (including Word, Excel, PowerPoint, Access, and Outlook), users of other applications are not immune. Viruses exist that infect Lotus Notes, WordPerfect, and more. Macro viruses are the primary reason that modern office productivity software disables unsigned macros by default.

Platforms

Just as most macro viruses infect systems running the popular Microsoft Office suite of applications, most computer viruses are designed to disrupt activity on systems running versions of the world’s most popular operating system—Microsoft Windows. It’s estimated that less than 1 percent of the viruses “in the wild” today are designed to impact other operating systems, such as Unix and Mac OS.

The main reason for this is that there really is no “Unix” operating system. Rather, there is a series of many similar operating systems that implement the same functions in a similar fashion and that are independently designed by a large number of developers. Large-scale corporate efforts, such as Sun’s Solaris and SCO Unix, compete with the myriad of freely available versions of the Linux operating system developed by the public at large. The sheer number of Unix versions and the fact that they are developed on entirely different kernels (the core code of an operating system) make it difficult to write a virus that would impact a large portion of Unix systems.

That said, Macintosh and Unix users should not rest on their laurels. The fact that there are only a few viruses out there that pose a risk to their systems does not mean that one of those viruses couldn’t affect their systems at any moment. Anyone responsible for the security of a computer system should implement adequate antivirus mechanisms to ensure the continued safety of their resources.

Antivirus Mechanisms

Almost every desktop computer in service today runs some sort of antivirus software package. Popular desktop titles include McAfee VirusScan and Norton AntiVirus, but a plethora of other products on the market offer protection for anything from a single system to an entire enterprise; other packages are designed to protect against specific common types of virus invasion vectors, such as inbound email.

The vast majority of these packages utilize a method known as signature-based detection to identify potential virus infections on a system. Essentially, an antivirus package maintains an extremely large database that contains the telltale characteristics of all known viruses. Depending upon the antivirus package and configuration settings, it scans storage media periodically, checking for any files that contain data matching those criteria. If any are detected, the antivirus package takes one of the following actions:

• If the software can eradicate the virus, it disinfects the affected files and restores the machine to a safe condition.
• If the software recognizes the virus but doesn’t know how to disinfect the files, it may quarantine the files until the user or an administrator can examine them manually.
• If security settings/policies do not provide for quarantine or the files exceed a predefined danger threshold, the antivirus package may delete the infected files in an attempt to preserve system integrity.

When using a signature-based antivirus package, it’s essential to remember that the package is only as effective as the virus definition file upon which it’s based. If you don’t frequently update your virus definitions (usually requiring an annual subscription fee), your antivirus software will not be able to detect newly created viruses. With thousands of viruses appearing on the Internet each year, an outdated definition file will quickly render your defenses ineffective.

Many antivirus packages also use heuristic-based mechanisms to detect potential malware infections. These methods analyze the behavior of software, looking for the telltale signs of virus activity, such as attempts to elevate privilege level, cover their electronic tracks, and alter unrelated or operating system files.

Most of the modern antivirus software products are able to detect and remove a wide variety of types of malicious code and then clean the system. In other words, antivirus solutions are rarely limited to just viruses. These tools are often able to provide protection against worms, Trojan horses, logic bombs, rootkits, spyware, and various other forms of email- or web-borne code. In the event that you suspect new malicious code is sweeping the Internet, your best course of action is to contact your antivirus software vendor to inquire about your state of protection against the new threat. Don’t wait until the next scheduled or automated signature dictionary update. Furthermore, never accept the word of any third party about protection status offered by an antivirus solution. Always contact the vendor directly. Most responsible antivirus vendors will send alerts to their customers as soon as new, substantial threats are identified, so be sure to register for such notifications as well.

Other security packages, such as the popular Tripwire data integrity assurance package, also provide a secondary antivirus functionality. Tripwire is designed to alert administrators of unauthorized file modifications. It’s often used to detect web server defacements and similar attacks, but it also may provide some warning of virus infections if critical system executable files, such as COMMAND.COM, are modified unexpectedly. These systems work by maintaining a database of hash values for all files stored on the system (see Chapter 9, “Cryptography and Symmetric Key Algorithms,” for a full discussion of the hash functions used to create these values). These archived hash values are then compared to current computed values to detect any files that were modified between the two periods. At the most basic level, a hash is a number used to summarize the contents of a file. As long as the file stays the same, the hash will stay the same. If the file is modified, even slightly, the hash will change dramatically, indicating that the file has been modified. Unless the action seems explainable, such as happening after the installation of new software, application of an operating system patch, or similar change, sudden changes in executable files may be a sign of malware infection.

Virus Technologies

As virus detection and eradication technology rises to meet new threats programmed by malicious developers, new kinds of viruses designed to defeat those systems emerge. The following sections examine four specific types of viruses that use sneaky techniques in an attempt to escape detection—multipartite viruses, stealth viruses, polymorphic viruses, and encrypted viruses.

Multipartite Viruses

Multipartite viruses use more than one propagation technique in an attempt to penetrate systems that defend against only one method or the other. For example, the Marzia virus discovered in 1993 infects critical .COM and .EXE files, most notably the COMMAND.COM system file, by adding 2,048 bytes of malicious code to each file. This characteristic qualifies it as a file infector virus. In addition, two hours after it infects a system, it writes malicious code to the system’s master boot record, qualifying it as a boot sector virus.

Stealth Viruses

Stealth viruses hide themselves by actually tampering with the operating system to fool antivirus packages into thinking that everything is functioning normally. For example, a stealth boot sector virus might overwrite the system’s master boot record with malicious code but then also modify the operating system’s file access functionality to cover its tracks. When the antivirus package requests a copy of the MBR, the modified operating system code provides it with exactly what the antivirus package expects to see—a clean version of the MBR free of any virus signatures. However, when the system boots, it reads the infected MBR and loads the virus into memory.

Polymorphic Viruses

Polymorphic viruses actually modify their own code as they travel from system to system. The virus’s propagation and destruction techniques remain the same, but the signature of the virus is somewhat different each time it infects a new system. It is the hope of polymorphic virus creators that this constantly changing signature will render signature-based antivirus packages useless. However, antivirus vendors have “cracked the code” of many polymorphism techniques, so current versions of antivirus software are able to detect known polymorphic viruses. The only concern that remains is that it takes vendors longer to generate the necessary signature files to stop a polymorphic virus in its tracks, resulting in a lengthened period that the virus can run free on the Internet.

Encrypted Viruses

Encrypted viruses use cryptographic techniques, such as those described in Chapter 9, to avoid detection. In their outward appearance, they are actually quite similar to polymorphic viruses—each infected system has a virus with a different signature. However, they do not generate these modified signatures by changing their code; instead, they alter the way they are stored on the disk. Encrypted viruses use a very short segment of code, known as the virus decryption routine, which contains the cryptographic information necessary to load and decrypt the main virus code stored elsewhere on the disk. Each infection utilizes a different cryptographic key, causing the main code to appear completely different on each system. However, the virus decryption routines often contain telltale signatures that render them vulnerable to updated antivirus software packages.

Hoaxes

No discussion of viruses is complete without mentioning the nuisance and wasted resources caused by virus hoaxes. Almost every email user has, at one time or another, received a message forwarded by a friend or relative that warns of the latest virus threat roaming the Internet. Invariably, this purported “virus” is the most destructive virus ever unleashed, and no antivirus package is able to detect and/or eradicate it. One famous example of such a hoax is the Good Times virus warning that first surfaced on the Internet in 1994 and still circulates today.

For more information on this topic, the renowned virus hoax expert Rob Rosenberger maintains a website that contains a comprehensive repository of virus hoaxes. You can find it at www.vmyths.com.

Logic Bombs

As you learned in Chapter 7, “Data and Application Security Issues,” logic bombs are malicious code objects that infect a system and lie dormant until they are triggered by the occurrence of one or more conditions such as time, program launch, website logon, and so on. The vast majority of logic bombs are programmed into custom-built applications by software developers seeking to ensure that their work is destroyed if they unexpectedly leave the company. The previous chapter provided several examples of this type of logic bomb.

However, it’s important to remember that, like any malicious code object, logic bombs come in many shapes and sizes. Indeed, many viruses and Trojan horses contain a logic bomb component. The famous Michelangelo virus caused a media frenzy when it was discovered in 1991 because of the logic bomb trigger it contained. The virus infected a system’s master boot record through the sharing of infected floppy disks and then hid itself until March 6—the birthday of the famous Italian artist Michelangelo Buonarroti. On that date, it sprung into action, reformatting the hard drives of infected systems and destroying all the data they contain.

Trojan Horses

System administrators constantly warn computer users not to download and install software from the Internet unless they are absolutely sure it comes from a trusted source. In fact, many companies strictly prohibit the installation of any software not prescreened by the IT department. These policies serve to minimize the risk that an organization’s network will be compromised by a Trojan horse—a software program that appears benevolent but carries a malicious, behind-the-scenes payload that has the potential to wreak havoc on a system or network.

Trojans differ very widely in functionality. Some will destroy all the data stored on a system in an attempt to cause a large amount of damage in as short a time frame as possible. Some are fairly innocuous. For example, a series of Trojans appeared on the Internet in mid-2002 that claimed to provide PC users with the ability to run games designed for the Microsoft Xbox gaming system on their computers. When users ran the program, it simply didn’t work. However, it also inserted a value into the Windows Registry that caused a specific web page to open each time the computer booted. The Trojan creators hoped to cash in on the advertising revenue generated by the large number of page views their website received from the Xbox Trojan horses. Unfortunately for them, antivirus experts quickly discovered their true intentions, and the website was shut down.

One category of Trojan that has recently made a significant impact on the security community is rogue antivirus software. This software tricks the user into installing it by claiming to be an antivirus package, often under the guise of a pop-up ad that mimics the look and feel of a security warning. Once the user installs the software, it either steals personal information or prompts the user for payment to “update” the rogue antivirus. The “update” simply disables the Trojan!

Worms

Worms pose a significant risk to network security. They contain the same destructive potential as other malicious code objects with an added twist—they propagate themselves without requiring any human intervention.

The worm called Internet Worm was the first major computer security incident to occur on the Internet. Since that time, hundreds of new worms (with thousands of variant strains) have unleashed their destructive power on the Internet.

The Code Red worm received a good deal of media attention in the summer of 2001 when it rapidly spread among web servers running unpatched versions of Microsoft’s Internet Information Server (IIS). Code Red performed three malicious actions on the systems it penetrated:

• It randomly selected hundreds of IP addresses and then probed those hosts to see whether they were running a vulnerable version of IIS. Any systems it found were quickly compromised. This greatly magnified Code Red’s reach because each host it infected sought many new targets.
• It defaced HTML pages on the local web server, replacing normal content with the following text:

  Welcome to http://www.worm.com!

  Hacked By Chinese!

• It planted a logic bomb that would initiate a denial-of-service attack against the IP address 198.137.240.91, which at that time belonged to the web server hosting the White House’s home page. Quick-thinking government web administrators changed the White House’s IP address before the attack actually began.

The destructive power of Internet Worm, Code Red, and their many variants poses an extreme risk to the modern Internet. System administrators simply must ensure that they apply appropriate security patches to their Internet-connected systems as software vendors release them. As a case in point, a security fix for an IIS vulnerability exploited by Code Red was available from Microsoft for more than a month before the worm attacked the Internet. Had security administrators applied it promptly, Code Red would have been a miserable failure.

Spyware and Adware

Two other types of unwanted software interfere with the way you normally use your computer. Spyware monitors your actions and transmits important details to a remote system that spies on your activity. For example, spyware might wait for you to log into a banking website and then transmit your username and password to the creator of the spyware. Alternatively, it might wait for you to enter your credit card number on an e-commerce site and transmit it to a fraudster to resell on the black market.

Adware, while quite similar to spyware in form, has a different purpose. It uses a variety of techniques to display advertisements on infected computers. The simplest forms of adware display pop-up ads on your screen while you surf the Web. More nefarious versions may monitor your shopping behavior and redirect you to competitor websites.

Active Content

The increasing demand of web users for more and more dynamic content on the sites they visit has created a dilemma for web administrators. Delivering this dynamic content requires the use of web applications that can place an enormous computational burden on the server, and the increased demand for them requires a commitment of a large number of resources.

In an effort to solve this problem, software developers created the concept of active content, web programs that are downloaded to users’ own computers for execution rather than consuming server-side resources. These programs, utilizing technologies such as Java applets and ActiveX controls, greatly reduce the load on the server and client waiting time. Most web browsers allow users to choose to have the active content automatically downloaded, installed, and executed from trusted sites. Additionally, developers have the ability to digitally sign active content to identify the author, and users can configure their browsers to run only signed content from trusted sources, reducing the risk of running active content.

Unfortunately, this technology can pose a major threat to client systems. Unsuspecting users may download active content from an untrusted source and allow it to execute on their systems, creating a significant security vulnerability. This vulnerability led to the creation of a whole new type of malicious code—the hostile applet. Like other forms of malware, hostile applets have a variety of intentions, from causing a denial-of-service attack that merely consumes system resources to more insidious goals, such as theft of data.

Countermeasures

The primary means of defense against malicious code is the use of antivirus-filtering software. These packages are primarily signature-based systems, designed to detect known viruses running on a system. It’s wise to consider implementing antivirus filters in at least three key areas, described next.

Client systems Every workstation on a network should have updated antivirus software searching the local file system for malicious code.

Server systems Servers should have similar protections. This is even more critical than protecting client systems because a single virus on a common server could quickly spread throughout an entire network.

Content filters The majority of viruses today are exchanged over email. It’s a wise move to implement on your network content filtering that scans inbound and outbound electronic mail and web traffic for signs of malicious code.

Signature-based filters rely upon the descriptions of known viruses provided by software developers. Therefore, there is a period of time between when any given virus first appears “in the wild” and when updated filters are made available. This problem has two solutions that are commonly used today:

• Integrity checking software, such as Tripwire (an open source version is available at www.tripwire.org), scans your file system for unexpected modifications and reports to you periodically.
• Access controls should be strictly maintained and enforced to limit the ability of malicious code to damage your data and spread on your network.

Two additional techniques can specifically prevent systems from being infected by malicious code embedded in active content:

• Java’s sandbox provides applets with an isolated environment in which they can run safely without gaining access to critical system resources.
• ActiveX control signing utilizes a system of digital signatures to ensure that the code originates from a trusted source. It is up to the end user to determine whether the authenticated source should be trusted.

For an in-depth explanation of digital signature technology, see Chapter 10, “PKI and Cryptographic Applications.”

Many forms of malicious code take advantage of “zero day” vulnerabilities, security flaws discovered by hackers that have not been thoroughly addressed by the security community. There are two main reasons systems are affected by these vulnerabilities. First, it may be the result of the necessary delay between the discovery of a new type of malicious code and the issuance of patches and antivirus updates. Second, it may be due to slowness in applying updates on the part of system administrators. The existence of zero-day vulnerabilities makes it critical that you have a strong patch management program in your organization that ensures the prompt application of critical security updates. Additionally, you may wish to use a vulnerability scanner to scan your systems on a regular basis for known security issues.

Password Attacks

One of the simplest techniques attackers use to gain illegitimate access to a system is to learn the username and password of an authorized system user. Once they’ve gained access as a regular user, they have a foothold into the system. At that point, they can use other techniques, including automated rootkit packages, to gain increased levels of access to the system (see the section “Rootkits” later in this chapter). They may also use the compromised system as a jumping-off point for attacks on other, more attractive targets on the same network.

The following sections examine three methods attackers use to learn the passwords of legitimate users and access a system: password-guessing attacks, dictionary attacks, and social-engineering attacks. Many of these attacks rely upon weak password storage mechanisms. For example, many Unix operating systems store encrypted versions of a user’s password in the /etc/passwd file.

Password Guessing

In the most basic type of password attack, attackers simply attempt to guess a user’s password. No matter how much security education users receive, they often use extremely weak passwords. If attackers are able to obtain a list of authorized system users, they can often quickly figure out the correct usernames. (On most networks, usernames consist of the first initial of the user’s first name followed by a portion of their last name.) With this information, they can begin making some educated guesses about the user’s password. The most commonly used password is some form of the user’s last name, first name, or username. For example, the user mchapple might use the weak password elppahcm because it’s easy to remember. Unfortunately, it’s also easy to guess.

If that attempt fails, attackers turn to widely available lists of the most common passwords on the Internet. Some of these are shown in the sidebar “Most Common Passwords.”

Finally, a little knowledge about a person can provide extremely good clues about their password. Many people use the name of a spouse, child, family pet, relative, or favorite entertainer. Common passwords also include birthdays, anniversaries, Social Security numbers, phone numbers, and (believe it or not!) ATM PINs.

Dictionary Attacks

As mentioned previously, many Unix systems store encrypted versions of user passwords in an /etc/passwd file accessible to all system users. To provide some level of security, the file doesn’t contain the actual user passwords; it contains an encrypted value obtained from a one-way encryption function (see Chapter 9 for a discussion of encryption functions). When a user attempts to log on to the system, access verification routines use the same encryption function to encrypt the password entered by the user and then compare it with the encrypted version of the actual password stored in the /etc/passwd file. If the values match, the user is allowed access.

Password attackers use automated tools like the Crack program to run automated dictionary attacks that exploit a simple vulnerability in this mechanism. They take a large dictionary file that contains thousands of words and then run the encryption function against all those words to obtain their encrypted equivalents. Crack then searches the password file for any encrypted values for which there is a match in the encrypted dictionary. When a match is found, it reports the username and password (in plain text), and the attacker gains access to the system.

It sounds like simple security mechanisms and education would prevent users from using passwords that are easily guessed by Crack, but the tool is surprisingly effective at compromising live systems. As new versions of Crack are released, more advanced features are introduced to defeat common techniques used by users to defeat password complexity rules. Some of these are included in the following list:

• Rearranging the letters of a dictionary word
• Appending a number to a dictionary word
• Replacing each occurrence of the letter O in a dictionary word with the number 0 (or the letter l with the number 1)
• Combining two dictionary words in some form

Social Engineering

Social engineering is one of the most effective tools attackers use to gain access to a system. In its most basic form, a social-engineering attack consists of simply calling the user and asking for their password, posing as a technical support representative or other authority figure who needs the information immediately. Fortunately, most contemporary computer users are aware of these scams, and the effectiveness of directly asking a user for a password is somewhat diminished today. Instead, these attacks rely upon phishing emails that prompt users to log in to a fake site using their actual username and password, which are then captured by the attacker and used to log into the actual site. Phishing attacks often target financial services websites, where user credentials can be used to quickly transfer cash. In addition to tricking users into giving up their passwords, phishing attacks are often used to get users to install malware or provide other sensitive personal information.

However, social engineering still poses a significant threat to the security of passwords (and networks in general). Attackers can often obtain sensitive personal information by “chatting up” computer users, office gossips, and administrative personnel. This information can provide excellent ammunition when mounting a password-guessing attack. Furthermore, attackers can sometimes obtain sensitive network topography or configuration data that is useful when planning other types of electronic attacks against an organization.

Countermeasures

The cornerstone of any security program is education. Security personnel should continually remind users of the importance of choosing a secure password and keeping it secret. Users should receive training when they first enter an organization, and they should receive periodic refresher training, even if it’s just an email from the administrator reminding them of the threats.

Provide users with the knowledge they need to create secure passwords. Tell them about the techniques attackers use when guessing passwords, and give them advice on how to create a strong password. One of the most effective techniques is to use a mnemonic device such as thinking of an easy-to-remember sentence and creating a password out of the first letter of each word. For example, “My son Richard likes to eat four pies” would become MsRlte4p—an extremely strong password.

One of the most common mistakes made by overzealous security administrators is to create a series of strong passwords and then assign them to users (who are then prevented from changing their password). At first glance, this seems to be a sound security policy. However, the first thing a user will do when they receive a password like 1mf0A8flt is write it down on a sticky note and put it under their computer keyboard. Whoops! Security just went out the window (or under the keyboard)!

If your network includes Unix operating systems that implement the /etc/passwd file, consider using some other access verification mechanism to increase security. One popular technique available in many versions of Unix and Linux is the use of a shadow password file, /etc/shadow. This file contains the true encrypted passwords of each user, but it is not accessible to anyone but the administrator. The publicly accessible /etc/passwd file then simply contains a list of usernames without the data necessary to mount a dictionary attack.

Denial-of-Service Attacks

As you learned in Chapter 2, malicious individuals often use denial-of-service (DoS) attacks in an attempt to prevent legitimate users from accessing resources. This is often a “last-ditch” effort when an attacker realizes that they can’t penetrate a system—“If I can’t have it, then nobody can.” In the following sections, we’ll take a look at five specific denial-of-service attacks and the mechanisms they use to disable computing systems. In some of these attacks, a brute-force attack is used, simply overwhelming a targeted system with so many requests that it can’t possibly sort out the legitimate ones from those that are part of the attack. Others include elegantly crafted commands that cause vulnerable systems to crash or hang indefinitely.

SYN Flood

Recall from Chapter 2 that the TCP/IP protocol utilizes a three-way handshaking process to set up connections between two hosts. In a typical connection, the originating host sends a single packet with the SYN flag enabled, attempting to open one side of the communications channel. The destination host receives this packet and sends a reply with the ACK flag enabled (confirming that the first side of the channel is open) and the SYN flag enabled (attempting to open the reverse channel). Finally, the originating host transmits a packet with the ACK flag enabled, confirming that the reverse channel is open and the connection is established. If, for some reason, the process is not completed, the communicating hosts leave the connection in a half-open state for a predetermined period of time before aborting the attempt. Figure 8.1 illustrates the standard handshaking process.

In a SYN flood attack, attackers use special software that sends a large number of fake packets with the SYN flag set to the targeted system. The victim then reserves space in memory for the connection and attempts to send the standard SYN/ACK reply but never hears back from the originator. This process repeats hundreds or even thousands of times, and the targeted computer eventually becomes overwhelmed and runs out of available resources for the half-opened connections. At that time, it either crashes or simply ignores all inbound connection requests because it can’t possibly handle any more half-open connections. This prevents everyone—both attackers and legitimate users—from connecting to the machine and results in an extremely effective denial-of-service attack. Figure 8.2 shows the SYN flood modified handshaking process.

The SYN flood attack crippled many computing systems in the late 1990s and the year 2000. Web servers were especially vulnerable to this type of attack. Fortunately, modern firewalls contain specialized technology designed to prevent successful SYN flood attacks in the future. For example, Checkpoint Software’s popular Firewall-1 package contains the SYNDefender functionality that acts as a proxy for SYN requests and shelters the destination system from any barrage of requests.

Distributed DoS Toolkits

Distributed denial-of-service (DDoS) attacks allow attackers to harness the power of many third-party systems to attack the ultimate target. In many DDoS attacks, an attacker will first use some other technique to compromise a large number of systems. They then install software on those compromised systems that enables them to participate in the main attack, effectively enlisting those machines into an army of attackers known as a botnet.

Trinoo and the Tribal Flood Network (TFN) are two commonly used DDoS toolkits. Attackers compromise third-party systems and install Trinoo/TFN clients that lie dormant waiting for instructions to begin an attack. When the attacker is satisfied that enough clients are lying in wait, they use a Trinoo/TFN master server to “wake up” the clients and initiate a coordinated attack against a single destination system or network from many directions. The current versions of Trinoo and TFN allow the master server to initiate many common DoS attacks, including SYN floods and smurf attacks, from the third-party client machines.

Distributed denial-of-service attacks using these toolkits pose extreme risks to Internet-connected systems and are very difficult to defend against. In February 2000, attackers launched a week-long DDoS campaign against a number of high-profile websites, including those of Yahoo!, CNN, and Amazon.com. The attacks rendered these sites virtually inaccessible to legitimate users for an extended period of time. In fact, many security practitioners consider DDoS attacks the single greatest threat facing the Internet today.

Smurf

The smurf attack takes the distributed denial-of-service attack to the next level by harnessing the power of many unwitting third-party hosts to attack a system. Attacks that are like smurf and are amplified using third-party networks are known as distributed reflective denial-of-service (DRDoS) attacks.

The smurf DRDoS attack in particular exploits a vulnerability in the implementation of the Internet Control Message Protocol (ICMP) ping functionality. The intended use of ping allows users to send single “Are you there?” packets to other systems. If the system is alive and responding, it returns a single “Yes, I am” packet. It offers an efficient way to check network connectivity and diagnose potential networking issues. The typical exchange involves only two packets traversing the network and consumes minimal computer/network resources.

In a smurf attack, the originating system creates a false ping packet that appears to be from the target of the attack. The destination of the packet is the broadcast address of the third-party network. Therefore, each machine on the third-party network receives a copy of the ping request. According to the request they received, the originator is the victim system, and each machine on the network sends a “Yes, I’m alive” packet to the victim. The originator repeats this process by rapidly sending a large number of these requests through different intermediary networks, and the victim quickly becomes overwhelmed by the number of requests. Figure 8.3 illustrates the smurf attack data flow.

The prevention of smurf attacks depends upon the use of responsible filtering rules by networks across the entire Internet. System administrators should set rules at the router and/or firewall that prohibit inbound ping packets sent to a broadcast address (or perhaps even prohibit inbound pings entirely!). Furthermore, administrators should use egress filtering—a technique that prohibits systems on a network from transmitting packets with IP addresses that do not belong to the network. This prevents a network from being utilized by malicious individuals seeking to initiate a smurf attack or any type of masquerading attack aimed at a remote network (see the section “Masquerading Attacks” for more information on this topic).

DNS Amplification Attacks

Another type of distributed denial-of-service attack seen in recent years is the DNS amplification attack. The DNS amplification mechanism is similar to that of a smurf attack: An attacker tricks unwitting participants into sending unwanted traffic to a third party, flooding that third party’s network connection.

The two attacks differ in their implementation. While smurf attacks take advantage of broadcast network addresses, DNS amplification attacks leverage recursive DNS queries. Attackers simply locate some of the many DNS servers on the Internet that will perform recursive name resolution on behalf of any client. They then spoof DNS queries to that address using the source address of their intended target. The attacker intentionally crafts these queries to elicit a voluminous response from the DNS server. DNS leverages UDP packets. Unlike TCP, UDP is a connectionless protocol, so it is not necessary for the attacker to actually establish a TCP session with the server, allowing the attacker to successfully impersonate the victim system.

Using DNS amplification attacks, malicious individuals can quickly bring a victim to its knees by amplifying a relatively small amount of network traffic (in the form of DNS queries) into a barrage of unwanted traffic (in the form of DNS responses).

Teardrop

The teardrop attack is a member of a subclass of DoS attacks known as fragmentation attacks that exploit vulnerabilities in the fragment reassembly functionality of the TCP/IP protocol stack. System administrators can configure the maximum size allowed for TCP/IP packets that traverse each network that carries them. They usually choose this value based upon the available hardware, quality of service, and typical network traffic parameters to maximize network efficiency and throughput.

When a network receives a packet larger than its maximum allowable packet size, it breaks it up into two or more fragments. These fragments are each assigned a size (corresponding to the length of the fragment) and an offset (corresponding to the starting location of the fragment). For example, if a packet is 250 bytes long and the maximum packet size for the network is 100 bytes, it will require fragmentation. In a correctly functioning TCP/IP stack, the packet would be broken up into three fragments, as shown in Figure 8.4.

In the teardrop attack, attackers use software that sends out packet fragments that don’t conform to the protocol specification. Specifically, they send two or more overlapping fragments, illustrated in Figure 8.5. The malicious individual might send out fragment 1, a perfectly normal packet fragment of length 100. Under normal conditions, this fragment would be followed by a second fragment with offset 100 (correlating to the length of the first fragment). However, in the teardrop attack, the attacker sends a second fragment with an offset value that is too low, placing the second fragment right in the middle of the first fragment. When the receiving system attempts to reassemble the fragmented packet, it doesn’t know how to properly handle the overlapping fragments and freezes or crashes.

As with many of the attacks described in this book, the teardrop attack is a well-known exploit, and most operating system vendors have released security patches that prevent this type of attack from crippling updated systems. However, attacks like teardrop continue to cause damage on a daily basis because of neglectful system administrators who fail to apply appropriate patches, leaving their systems vulnerable to attack.

Land

The land denial-of-service attack causes many older operating systems (such as Windows NT 4, Windows 95, and SunOS 4.1.4) to freeze and behave in an unpredictable manner. It works by creating an artificial TCP packet that has the SYN flag set. The attacker sets the destination IP address to the address of the victim machine and sets the destination port to an open port on that machine. Next, the attacker sets the source IP address and source port to the same values as the destination IP address and port. When the targeted host receives this unusual packet, the operating system doesn’t know how to process it and freezes, crashes, or behaves in an unusual manner as a result.

DNS Poisoning

Another DoS attack, DNS poisoning, works without ever touching the targeted host. Instead, it exploits vulnerabilities in the Domain Name System (DNS) protocol and attempts to redirect traffic to an alternative server without the targeted victim’s knowledge.

Consider an example—suppose an attacker wants to redirect all legitimate traffic headed for www.whitehouse.gov to an alternative site, say www.youvebeenhacked.com. We can assume that the White House site, as a frequent target of attackers, is highly secure. Instead of attempting to directly penetrate that site, the attacker might try to insert false data into the DNS that provides the IP address of www.youvebeenhacked.com when users query for the IP address of www.whitehouse.gov.

How could this happen? When you create a domain name, you use one of several domain name registrars that serve as central clearinghouses for DNS registrations. If an attacker is able to gain access to your registrar account (or the registrar’s infrastructure itself), they might be able to alter your DNS records without your knowledge. In the early days of DNS, authentication was weak, and users could change DNS information by simply sending an unauthenticated email message. Fortunately, registrars have since implemented more secure authentication techniques that use cryptographic technology to verify user identities. DNS poisoning attacks use more advanced techniques to exploit weaknesses in DNS technology to redirect users to unexpected sites.

Ping of Death

The final denial-of-service attack we’ll examine in this chapter is the infamous ping-of-death attack that plagued systems in the mid-1990s. This exploit is actually quite simple. According to the ICMP specification, the largest permissible ICMP packet is 65,536 bytes. However, many early operating system developers simply relied upon the assumption that the protocol stacks of sending machines would never exceed this value and did not build in error-handling routines to monitor for packets that exceeded this maximum.

Attackers seeking to exploit the ping-of-death vulnerability simply used a packet generation program to create a ping packet destined for the victim host with a size of at least 65,537 bytes. If the victim’s operating system didn’t check the length of the packet and attempted to process it, unpredictable results would occur. Some operating systems hung or crashed.

After this exploit was discovered, operating system manufacturers quickly updated their ICMP algorithms to prevent future occurrences. However, machines running older versions of certain operating systems may still be vulnerable to this attack. Some notable versions include Windows 3.11 and Mac OS 7, along with unpatched versions of Windows 95, Windows NT 4, and Solaris 2.4–2.5.1. If you’re running any of those operating systems on your network, update them to the appropriate patch level or version to protect yourself against this exploit.

Application Attacks

In Chapter 7, you learned about the importance of utilizing solid software engineering processes when developing operating systems and applications. In the following sections, you’ll take a brief look at some of the specific techniques attackers use to exploit vulnerabilities left behind by sloppy coding practices.

Buffer Overflows

Buffer overflow vulnerabilities exist when a developer does not properly validate user input to ensure that it is of an appropriate size and therefore it can “overflow” a data structure to affect other data stored in the computer’s memory. For example, if a web form has a field that ties to a back-end variable that allows 10 characters but the form processor does not verify the length of the input, the operating system may try to simply write data past the end of the memory space reserved for that variable, potentially corrupting other data stored in memory. In the worst case, that data can be used to overwrite system commands, allowing an attacker to exploit the buffer overflow vulnerability to execute arbitrary commands on the server.

When creating software, developers must pay special attention to variables that allow user input. Many programming languages do not enforce size limits on variables intrinsically—they rely on the programmer to perform this bounds checking in the code. This is an inherent vulnerability because many programmers feel parameter checking is an unnecessary burden that slows down the development process. As a security practitioner, it’s your responsibility to ensure that developers in your organization are aware of the risks posed by buffer-overflow vulnerabilities and that they take appropriate measures to protect their code against this type of attack.

Any time a program variable allows user input, the programmer should take steps to ensure that each of the following conditions is met:

• The user can’t enter a value longer than the size of any buffer that will hold it (for example, a 10-letter word into a 5-letter string variable).
• The user can’t enter an invalid value for the variable types that will hold it (for example, a letter into a numeric variable).
• The user can’t enter a value that will cause the program to operate outside of its specified parameters (for example, answer a “yes” or “no” question with “maybe”).

Failure to perform simple checks to make sure these conditions are met can result in a buffer-overflow vulnerability that may cause the system to crash or even allow the user to execute shell commands and gain access to the system. Buffer-overflow vulnerabilities are especially prevalent in code developed rapidly for the Web using CGI or other languages that allow unskilled programmers to quickly create interactive web pages. Most buffer overflow vulnerabilities are mitigated with patches provided by software and operating system vendors, magnifying the importance of keeping systems and software up-to-date.

Time-of-Check-to-Time-of-Use

The time-of-check-to-time-of-use (TOCTTOU or TOC/TOU) issue is a timing vulnerability that occurs when a program checks access permissions too far in advance of a resource request. For example, if an operating system builds a comprehensive list of access permissions for a user upon logon and then consults that list throughout the logon session, a TOCTTOU vulnerability exists. If the system administrator revokes a particular permission, that restriction would not be applied to the user until the next time they log on. If the user is logged on when the access revocation takes place, they will have access to the resource indefinitely. The user simply needs to leave the session open for days, and the new restrictions will never be applied.

Trap Doors

Trap doors (or back doors) are undocumented command sequences that allow software developers to bypass normal access restrictions. They are often used during the development and debugging process to speed up the workflow and avoid forcing developers to continuously authenticate to the system. Occasionally, developers leave these trap doors in the system after it reaches a production state, either by accident or so they can “take a peek” at their system when it is processing sensitive data to which they should not have access.

Obviously, the undocumented nature of trap doors makes them a significant threat to the security of any system that contains them, especially when they are undocumented and forgotten. If a developer leaves the firm, they could later use the trap door to access the system and retrieve confidential information or participate in industrial sabotage.

Rootkits

Rootkits are specialized software packages that have only one purpose—to allow attackers to gain expanded access to a system. Rootkits are freely available on the Internet and exploit known vulnerabilities in various operating systems. Attackers often obtain access to a standard system user account through the use of a password attack or social engineering and then use a rootkit to increase their access to the root (or administrator) level.

Administrators can take one simple precaution to protect their systems against the vast majority of rootkit attacks, and it’s nothing new. Administrators must keep themselves informed about new security patches released for operating systems used in their environment and apply these corrective measures consistently. This straightforward step will fortify a network against almost all rootkit attacks as well as a large number of other potential vulnerabilities.

Web Application Security

The Web allows you to purchase airline tickets, check your email, pay your bills, and purchase stocks all from the comfort of your living room. Almost every business today operates a website, and many allow you to conduct sensitive transactions through that site.

Along with the convenience benefits of web applications comes a series of new vulnerabilities that may expose web-enabled organizations to security risks. In the next several sections, we’ll cover two common web application attacks.

Cross-Site Scripting (XSS)

Cross-site scripting (XSS) attacks occur when web applications contain some type of reflected input. For example, consider a simple web application that contains a single text box asking a user to enter their name. When the user clicks Submit, the web application loads a new page that says, “Hello, name.”

Under normal circumstances, this web application functions as designed. However, a malicious individual could take advantage of this web application to trick an unsuspecting third party. As you may know, you can embed scripts in web pages by using the HTML <SCRIPT> and </SCRIPT> tags. Suppose that, instead of entering Mike in the Name field, you enter the following text:

When the web application “reflects” this input in the form of a web page, your browser processes it as it would any other web page: It displays the text portions of the web page and executes the script portions. In this case, the script simply opens a pop-up window that says “Hello” in it. However, you could be more malicious and include a more sophisticated script that asks the user to provide a password and transmits it to a malicious third party.

At this point, you’re probably asking yourself how anyone would fall victim to this type of attack. After all, you’re not going to attack yourself by embedding scripts in the input that you provide to a web application that performs reflection. The key to this attack is that it’s possible to embed form input in a link. A malicious individual could create a web page with a link titled “Check your account at First Bank” and encode form input in the link. When the user visits the link, the web page appears to be an authentic First Bank website (because it is!) with the proper address in the toolbar and a valid SSL certificate. However, the website would then execute the script included in the input by the malicious user, but it would appear to be part of the valid web page.

What’s the answer to cross-site scripting? When you create web applications that allow any type of user input, you must be sure to perform input validation. At the most basic level, you should never allow a user to include the <SCRIPT> tag in a reflected input field. However, this doesn’t solve the problem completely; there are many clever alternatives available to an industrious web application attacker. The best solution is to determine the type of input that you will allow and then validate the input to ensure that it matches that pattern. For example, if you have a text box that allows users to enter their age, you should accept between only one and three digits as input. Your application should reject any other input as invalid.

SQL Injection

SQL injection attacks are even riskier than XSS attacks from an organization’s perspective. As with XSS attacks, SQL injection attacks use unexpected input to a web application. However, instead of using this input to attempt to fool a user, SQL injection attacks use it to gain unauthorized access to an underlying database.

Dynamic Web Applications

In the early days of the Web, all web pages were static, or unchanging. Webmasters created web pages containing information and placed them on a web server, where users could retrieve them using their web browsers. The Web quickly outgrew this model because users wanted the ability to access customized information based upon their individual needs. For example, visitors to a bank website aren’t interested only in static pages containing information about the bank’s locations, hours, and services. They also want to retrieve dynamic content containing information about their personal accounts. Obviously, the webmaster can’t possibly create pages on the web server for each individual user with that user’s personal account information. At a large bank, that would require maintaining millions of pages with up-to-the-minute information. That’s where dynamic web applications come into play.

Web applications take advantage of a database to create content on-demand when the user makes a request. In the banking example, the user logs into the web application, providing an account number and password. The web application then retrieves current account information from the bank’s database and uses it to instantly create a web page containing the user’s current account information. If that user returns an hour later, the web server would repeat the process, obtaining updated account information from the database. Figure 8.6 illustrates this model.

What does this mean to you as a security professional? Web applications add complexity to our traditional security model. As shown in Figure 8.6, the web server, as a publicly accessible server, belongs in a separate network zone from other servers, commonly referred to as a DMZ. The database server, on the other hand, is not meant for public access, so it belongs on the internal network. The web application needs access to the database, so the firewall administrator must create a rule allowing access from the web server to the database server. This rule creates a potential path for Internet users to gain access to the database server. (For more on firewalls and DMZs, see Chapter 3.)

If the web application functions properly, it will allow only authorized requests to the database. However, if there is a flaw in the web application, it may allow individuals to tamper with the database in an unexpected and unauthorized fashion through the use of SQL injection attacks.

SQL Injection Attacks

SQL injection attacks allow a malicious individual to directly perform SQL transactions against the underlying database, in violation of the isolation model shown in Figure 8.6.

In the example used earlier, a bank customer might enter an account number to gain access to a dynamic web application that retrieves current account details. The web application must use a SQL query to obtain that information, perhaps of the following form, where <number> is the account number provided by the user on the web form:

There’s one more important fact you need to know: Databases will process multiple SQL statements at the same time, provided that you end each one with a semicolon.

If the web application doesn’t perform proper input validation, the user may be able to insert their own SQL code into the statement executed by the web server. For example, if the user’s account number is 145249, he could enter the following:

The web application would then obediently plug this in to the <number> field in the earlier SQL statement, resulting in the following:

Reformatting that command slightly, you get the following:

This is a valid SQL transaction containing two statements. The first one retrieves the requested information from the database. The second statement deletes all the records stored in the database. Whoops!

Protecting against SQL Injection

You can use two techniques to protect your web applications against SQL injection attacks:

Perform input validation As described earlier in this chapter when talking about cross-site scripting, input validation allows you to limit the types of data a user provides in a form. In the case of the SQL injection example we provided in the previous section, removing the single quote characters (') from the input would prevent the successful use of this attack.

Limit account privileges The database account used by the web server should have the smallest set of privileges possible. If the web application needs only to retrieve data, it should have that ability only. In the example, the DELETE command would fail if the account had SELECT privileges only.

Reconnaissance Attacks

As with any attacking force, attackers require solid intelligence to effectively focus their efforts against the targets most likely to yield the best results. To assist with this targeting, attacker-tool developers have created a number of automated tools that perform network reconnaissance. In the following sections, we’ll cover three of those automated techniques—IP probes, port scans, and vulnerability scans—and then explain how these techniques can be supplemented by the more physically intensive dumpster-diving technique.

IP Probes

IP probes (also called IP sweeps or ping sweeps) are often the first type of network reconnaissance carried out against a targeted network. With this technique, automated tools simply attempt to ping each address in a range. Systems that respond to the ping request are logged for further analysis. Addresses that do not produce a response are assumed to be unused and are ignored.

IP probes are extremely prevalent on the Internet today. Indeed, if you configure a system with a public IP address and connect it to the Internet, you’ll probably receive at least one IP probe within hours of booting up. The widespread use of this technique makes a strong case for disabling ping functionality by disabling ICMP, at least for users external to a network.

Port Scans

After an attacker performs an IP probe, they are left with a list of active systems on a given network. The next task is to select one or more systems to target with additional attacks. Often, attackers have a type of target in mind; web servers, file servers, and other servers supporting critical operations are prime targets.

To narrow down their search, attackers use port scan software to probe all the active systems on a network and determine what public services are running on each machine. For example, if the attacker wants to target a web server, they might run a port scan to locate any systems with a service running on port 80, the default port for HTTP services.

Vulnerability Scans

The third technique is the vulnerability scan. Once the attacker determines a specific system to target, they need to discover a specific vulnerability in that system that can be exploited to gain the desired access permissions. A variety of tools available on the Internet assist with this task. Two of the more popular ones are the Nessus and Saint vulnerability scanners. These packages contain a database of known vulnerabilities and probe targeted systems to locate security flaws. They then produce very attractive reports that detail every vulnerability detected. From that point, it’s simply a matter of locating a script that exploits a specific vulnerability and launching an attack against the victim.

It’s important to note that vulnerability scanners are highly automated tools. They can be used to launch an attack against a specific system, but it’s just as likely that an attacker would use a series of IP probes, port scans, and vulnerability scans to narrow down a list of potential victims. However, chances are an intruder will run a vulnerability scanner against an entire network to probe for any weakness that could be exploited.

Once again, simply updating operating systems to the most recent security patch level can repair almost every weakness reported by a vulnerability scanner. Furthermore, wise system administrators learn to think like the enemy—they download and run these vulnerability scanners against their own networks (with the permission of upper management) to see what security holes might be pointed out to a potential attacker. This allows them to quickly focus their resources on fortifying the weakest points on their networks.

Dumpster Diving

Every organization generates trash—often significant amounts on a daily basis. Have you ever taken the time to sort through your trash to see the sensitivity of the materials that hit the recycle bin? Give it a try—the results may frighten you. When you’re analyzing the work papers thrown away each day, look at them from an attacker’s perspective. What type of intelligence could you glean from them that might help you launch an attack? Is there sensitive data about network configurations or installed software versions? A list of employees’ birthdays from a particular department that might be used in a social-engineering attack? A policy manual that contains detailed procedures on the creation of new accounts? Discarded floppy disks or other storage media?

Don’t underestimate the value of even trivial corporate documents to a social engineer. Kevin Mitnick, a famous social engineer, once admitted to using company newsletters as a key component of his attacks. He skipped right to the section containing a listing of new hires, recognizing that these individuals were perfect victims: all too eager to please someone calling from the “top floor” requesting sensitive information.

Dumpster diving is one of the oldest attacker tools in the book, and it’s still used today. The best defense against these attacks is quite simple—make them more difficult. Purchase shredders for key departments, and encourage employees to use them. Keep the trash locked up in a secure area until the garbage collectors arrive. A little common sense goes a long way in this area.

Masquerading Attacks

One of the easiest ways to gain access to resources you’re not otherwise entitled to use is to impersonate someone who does have the appropriate access permissions. In the offline world, teenagers often borrow the driver’s license of an older sibling to purchase alcohol, and the same type of thing happens in the computer security world. Attackers borrow the identities of legitimate users and systems to gain the trust of third parties. In the following sections, we’ll take a look at two common masquerading attacks—IP spoofing and session hijacking.

IP Spoofing

In an IP spoofing attack, the malicious individual simply reconfigures their system so that it has the IP address of a trusted system and then attempts to gain access to other external resources. This is surprisingly effective on many networks that don’t have adequate filters installed to prevent this type of traffic from occurring. System administrators should configure filters at the perimeter of each network to ensure that packets meet at least the following criteria:

• Packets with internal source IP addresses don’t enter the network from the outside.
• Packets with external source IP addresses don’t exit the network from the inside.
• Packets with private IP addresses don’t pass through the router in either direction (unless specifically allowed as part of an intranet configuration).

These three simple filtering rules can eliminate the vast majority of IP spoofing attacks and greatly enhance the security of a network.

Session Hijacking

Session hijacking attacks occur when a malicious individual intercepts part of the communication between an authorized user and a resource and then uses a hijacking technique to take over the session and assume the identity of the authorized user. The following list includes some common techniques:

• Capturing details of the authentication between a client and server and using those details to assume the client’s identity
• Tricking the client into thinking the attacker’s system is the server, acting as the middleman as the client sets up a legitimate connection with the server, and then disconnecting the client
• Accessing a web application using the cookie data of a user who did not properly close the connection

All of these techniques can have disastrous results for the end user and must be addressed with both administrative controls (such as antireplay authentication techniques) and application controls (such as expiring cookies within a reasonable period of time).

Decoy Techniques

Attackers aren’t the only ones with tricks up their sleeves—security administrators have also mastered sleight-of-hand tricks and use them to lure attackers into a sense of false security. After they’ve had the opportunity to observe attackers and trace their actions back to the source, they take action to protect their networks from future attacks. In the following sections, we’ll examine two such techniques used by creative system administrators: honeypots and pseudoflaws.

Honeypots

Administrators often create honeypots that appear to be extremely lucrative attacker targets. They may contain files that appear to be sensitive and/or valuable or run false services (like a web server) that appear to be critical to an organization’s operations. In reality, these systems are nothing but decoys set up to lure attackers away from truly critical resources and allow administrators to monitor and trace their activities.

Pseudoflaws

Pseudoflaws are false vulnerabilities or apparent loopholes intentionally implanted in a system in an attempt to detect attackers. They are often used on honeypot systems and on critical resources to emulate well-known operating system vulnerabilities. Attackers seeking to exploit a known flaw might stumble across a pseudoflaw and think that they have successfully penetrated a system. More sophisticated pseudoflaw mechanisms actually simulate the penetration and convince the attacker that they have gained additional access privileges to a system. However, while the attacker is exploring the bounds of these newfound rights, monitoring and alerting mechanisms trigger in the background to alert administrators to the threat and increase the defensive posture surrounding critical network resources.

Summary

Throughout history, criminals have always been extremely creative. No matter what security mechanisms have been put in place to deter them, criminals have found methods to bypass them and reach their ultimate goals. This is no less true in the realm of computer security than in any other aspect of criminal psychology. Attackers use a number of automated tools to perform network reconnaissance so they can focus their efforts on the targets most likely to yield the best results. Examples include IP probes, port scans, malicious code, password attacks, denial-of-service attacks, application attacks, reconnaissance attacks, masquerading attacks, and decoy techniques.

By no means was this a comprehensive look at all possible hacking methods—that would be an impossible task. New tools and techniques appear in the hacking subculture almost on a daily basis. However, you should now have a good feeling for the types of weapons attackers have at their disposal as well as some of the best defense mechanisms security administrators can use to fortify their protected systems and networks against attacker intrusions.

Remember the following key actions you can take to increase your security posture:

• Use strong passwords.
• Update operating systems and applications with security patches as they are released by vendors.
• Use commonsense filtering techniques to ensure that traffic on your network is what it appears to be.

Pay particular attention to the technical details of the attacks presented in this chapter. Be familiar with the technology underlying each attack, and be prepared to identify them in a multiple-choice format. Just as important, understand the countermeasures system administrators can apply to prevent each one of those attacks from occurring on protected networks.

Exam Essentials

Understand the propagation techniques used by viruses. Viruses use three main propagation techniques—file infection, boot sector infection, and macro infection—to penetrate systems and spread their malicious payloads.

Know how antivirus software packages detect known viruses. Most antivirus programs use signature-based detection algorithms to look for telltale patterns of known viruses. This makes it essential to periodically update virus definition files in order to maintain protection against newly authored viruses as they emerge.

Be able to explain the techniques viruses use to escape detection. Viruses use polymorphism and encryption to avoid leaving behind signature footprints. Multipartite viruses use more than one propagation technique to infiltrate systems. Stealth viruses alter operating systems to trick antivirus packages into thinking everything is normal.

Understand the basic principles behind logic bombs, Trojan horses, and worms. Logic bombs remain dormant until one or more conditions are met. At that time, they trigger their malicious payload. Trojan horses penetrate systems by masquerading as a benevolent program while unleashing their payload in the background. Worms spread from system to system under their own power, potentially consuming massive amounts of resources.

Be familiar with common password attacks, and understand how to develop strong passwords. Attackers attempting to gain access to a system use straightforward guessing in combination with dictionary attacks and social-engineering techniques to learn user passwords. System administrators should implement security education programs and operating system controls to ensure that users choose strong passwords.

Understand common denial-of-service attacks and appropriate countermeasures. Attackers use standard denial-of-service attacks like SYN flooding, teardrop fragmentation attacks, and the ping of death to cripple targeted systems. They also harness the power of the global computing grid through the use of smurf attacks and other distributed denial-of-service attacks.

Be familiar with the various types of application attacks attackers use to exploit poorly written software. Buffer-overflow vulnerabilities are one of the greatest threats to modern computing. Attackers also exploit trap doors, time-of-check-to-time-of-use vulnerabilities, and rootkits to gain illegitimate access to a system. Malicious individuals may also use cross-site scripting and SQL injection to exploit vulnerable web applications.

Know the network reconnaissance techniques used by attackers preparing to attack a network. Before launching an attack, attackers use IP sweeps to search out active hosts on a network. These hosts are then subjected to port scans and other vulnerability probes to locate weak spots that might be attacked in an attempt to compromise the network.

Understand decoy techniques used by system administrators seeking to lure attackers into a trap. System administrators use honeypot systems that appear to be lucrative, easy-to-hit targets for attackers in attempts to draw them away from critical systems and track their activities. These systems might contain pseudoflaws—apparent vulnerabilities that don’t really exist—in an attempt to lull malicious individuals into a false sense of security.

Written Lab

Answers to Written Lab

Review Questions

1. What is the size of the master boot record on a system installed with a typical configuration?

A. 256 bytes

B. 512 bytes

C. 1,024 bytes

D. 2,048 bytes

2. How many steps take place in the standard TCP/IP handshaking process?

A. One

B. Two

C. Three

D. Four

3. Which one of the following types of attacks relies upon the difference between the timing of two events?

A. Smurf

B. TOCTTOU

C. Land

D. Fraggle

4. What propagation technique does the Good Times virus use to spread infection?

A. File infection

B. Boot sector infection

C. Macro infection

D. None of the above

5. What advanced virus technique modifies the malicious code of a virus on each system it infects?

A. Polymorphism

B. Stealth

C. Encryption

D. Multipartitism

6. Which one of the following files might be modified or created by a companion virus?

A. COMMAND.EXE

B. CONFIG.SYS

C. AUTOEXEC.BAT

D. WIN32.DLL

7. What is the best defensive action that system administrators can take against the threat posed by new malicious code objects that exploit known software vulnerabilities?

A. Update antivirus definitions monthly.

B. Install antiworm filters on the proxy server.

C. Apply security patches as they are released.

D. Prohibit Internet use on the corporate network.

8. Which one of the following passwords is least likely to be compromised during a dictionary attack?

A. mike

B. elppa

C. dayorange

D. dlayna

9. What file is instrumental in preventing dictionary attacks against Unix systems?

A. /etc/passwd

B. /etc/shadow

C. /etc/security

D. /etc/pwlog

10. Which one of the following tools can be used to launch a distributed denial-of-service attack against a system or network?

A. Satan

B. Saint

C. Trinoo

D. Nmap

11. Which one of the following network attacks takes advantages of weaknesses in the fragment reassembly functionality of the TCP/IP protocol stack?

A. Teardrop

B. Smurf

C. Ping of death

D. SYN flood

12. What type of reconnaissance attack provides attackers with useful information about the services running on a system?

A. Session hijacking

B. Port scan

C. Dumpster diving

D. IP sweep

13. What condition is necessary on a web page for it to be used in a cross-site scripting attack?

A. Reflected input

B. Database-driven content

C. .NET technology

D. CGI scripts

14. What type of virus utilizes more than one propagation technique to maximize the number of penetrated systems?

A. Stealth virus

B. Companion virus

C. Polymorphic virus

D. Multipartite virus

15. What is the most effective defense against cross-site scripting attacks?

A. Limiting account privileges

B. Input validation

C. User authentication

D. Encryption

16. Jim recently downloaded an application from a website that ran within his browser and caused his system to crash by consuming all available resources. Jim was most likely the victim of what type of malicious code?

A. Virus

B. Worm

C. Trojan horse

D. Hostile applet

17. Alan is the security administrator for a public network. In an attempt to detect hacking attempts, he installed a program on his production servers that imitates a well-known operating system vulnerability and reports exploitation attempts to the administrator. What is this type of technique called?

A. Honeypot

B. Pseudoflaw

C. Firewall

D. Bear trap

18. What technology does the Java language use to minimize the threat posed by applets?

A. Confidentiality

B. Encryption

C. Stealth

D. Sandbox

19. Renee is the security administrator for a research network. She’s attempting to convince her boss that they should disable two unused services—chargen and echo. What attack is the network more vulnerable to with these services running?

A. Smurf

B. Land

C. Fraggle

D. Ping of death

20. Which one of the following attacks uses a TCP packet with the SYN flag set and identical source/destination IP addresses and ports?

A. Smurf

B. Land

C. Fraggle

D. Ping of death

Answers to Review Questions

1. B. The master boot record is a single sector of a floppy disk or hard drive. Each sector is normally 512 bytes. The MBR contains only enough information to direct the proper loading of the operating system.

2. C. The TCP/IP handshake consists of three phases: SYN, SYN/ACK, and ACK. Attacks like the SYN flood abuse this process by taking advantage of weaknesses in the handshaking protocol to mount a denial-of-service attack.

3. B. The time-of-check-to-time-of-use (TOCTTOU) attack relies upon the timing of the execution of two events.

4. D. The Good Times virus is a famous hoax that does not actually exist.

5. A. In an attempt to avoid detection by signature-based antivirus software packages, polymorphic viruses modify their own code each time they infect a system.

6. A. Companion viruses are self-contained executable files with filenames similar to those of existing system/program files but with a modified extension. The virus file is executed when an unsuspecting user types the filename without the extension at the command prompt.

7. C. The vast majority of new malicious code objects exploit known vulnerabilities that were already addressed by software manufacturers. The best action administrators can take against new threats is to maintain the patch level of their systems.

8. D. Except option D, the choices are forms of common words that might be found during a dictionary attack. mike is a name and would be easily detected. elppa is simply apple spelled backwards, and dayorange combines two dictionary words. Crack and other utilities can easily see through these “sneaky” techniques. dlayna is simply a random string of characters that a dictionary attack would not uncover.

9. B. Shadow password files move encrypted password information from the publicly readable /etc/passwd file to the protected /etc/shadow file.

10. C. Trinoo and the Tribal Flood Network (TFN) are the two most commonly used distributed denial-of-service (DDoS) attack toolkits. The other three tools mentioned are reconnaissance techniques used to map networks and scan for known vulnerabilities.

11. A. The teardrop attack uses overlapping packet fragments to confuse a target system and cause the system to reboot or crash.

12. B. Port scans reveal the ports associated with services running on a machine and available to the public.

13. A. Cross-site scripting attacks are successful only against web applications that include reflected input.

14. D. Multipartite viruses use two or more propagation techniques (for example, file infection and boot sector infection) to maximize their reach.

15. B. Input validation prevents cross-site scripting attacks by limiting user input to a predefined range. This prevents the attacker from including the HTML <SCRIPT> tag in the input.

16. D. Hostile applets are a type of malicious code that users download from a remote website and run within their browsers. These applets, written using technologies like ActiveX and Java, may then perform a variety of malicious actions.

17. B. Alan has implemented pseudoflaws in his production systems. Honeypots often use pseudoflaws, but they are not the technology used in this case because honeypots are stand-alone systems dedicated to detecting attackers.

18. D. The Java sandbox isolates applets and allows them to run within a protected environment, limiting the effect they may have on the rest of the system.

19 C. The fraggle attack utilizes the uncommonly used UDP services chargen and echo to implement a denial-of-service attack.

20. B. The land attack uses a TCP packet constructed with the SYN flag set and identical source and destination sockets. It causes older operating systems to behave in an unpredictable manner.