Third-party software is the most vulnerable component in a system. For example, the iPhones released by Apple might have been fully penetration tested and checked out, but a single app installed after the user has access could circumvent the barriers set up by the manufacturer (Figure 6.1).
It is incorrect to describe “third parties” as simply additional apps that have been installed. Additional third parties could be an application programming interface (API) that was installed for a specific feature in an operating system (OS). Most of the time, this third party may not be in use and is merely lying dormant, waiting to accept input from a local app or from remote users. In many cases, attacks will start at a very simple low level, but the pinhole of vulnerability can then be continuously widened to allow more advanced and structured code to enter.
Lab Analysis and Learning Vulnerabilities
A short period of “binary analysis” will help individuals understand what healthy code looks like. In one week, an individual will be exposed to at least one new vulnerability, and in one month, he or she will have found a unique vulnerability that no one else has yet discovered. While automated tools exist to discover dangerous patterns in code, they often are subjected to false positives. Automated tools are still limited in their ability to truly understand the overall security goals that humans are best at interpreting.
It is important for security personnel to attempt to think like a hacker in order to effectively find ways to offset the various approaches that hackers employ. Wherever possible, hackers start by manipulating people in order to gain unauthorized access, and they can then progress to entering target processes and inserting malicious code at strategic locations in order to achieve their set of goals. Increasingly, the goal of modern hackers, and especially those linked to nation-states, is to establish a long-term persistent presence in a target’s computer system. And only once this is accomplished do they proceed to extract information or take destructive action, either immediately or in a time-delayed fashion, within the target system.
Figure 6.1 Third-party software—known installed apps and possibly unknown ones.
There are several global locations where cyber adversaries are based and from which they can carry out their malicious deeds in such a way that they are undetectable. More recent and potentially more dangerous are those associated with or closely aligned with nation-states, such as those in China and Russia. Threats emanating from these state-sponsored cyber operations consist of cyber-warfare espionage, ideological and political extremism, profit-motivated criminal activities, or supplying other criminal organizations that are geared to use acquired data, particularly ID information, for criminal gain and influence. Recent usage by local criminal gangs in the United States has varied from credit card fraud and false Internal Revenue Service (IRS) filings to large-scale bank fraud. But such stolen information can filter down to street-level criminals or to individual hackers who use that stolen information for personal gain, vengeance, or simply to achieve some level of fame within the hacking community.
The steps a hacker takes to become successful begin with surveillance. Remote hackers need to carry out surveillance of the people, communication systems, organization charts, buildings, and the data process structure of a company in order to penetrate their target. The first action a hacker will take is to identify which targets suit their purposes. The target may be a company such as Anthem, JP Morgan Chase, Sony, or any other large American company. Alternatively, the hackers may target a third-party software vendor, many of which are particularly attractive to hackers since they then provide a vehicle to ride on into unsuspecting target sides. There are many behind-the-scenes applications that typical users may not even know are running and present an open opportunity to hackers. Once a vulnerable target is identified, the hacking process can begin.
Successful hackers are diligent and persistent researchers. They will first study potential targets in a non-intrusive way, collecting information from social media and websites and other available information to understand the behaviors and resources that a target will use. Common information sources and tools that hackers use to gather information are the target’s corporate website, getting telephone contact and organization information from the website or from organizational telephone books. The hacker then might employ simple social engineering to gather information from target company employees or from the target’s suppliers or customers. They will then examine the Facebook and LinkedIn pages of specific individuals, looking for information that they can use. As a result, hackers will create custom client protocol libraries, conduct manual security analysis, and begin looking for opportunities to gain authentication, utilize overflow techniques, and place backdoor traps and Trojan.Derusbi-like malware.
An approach that hackers will utilize to attract their targets is to single them out based on their personal behaviors that the hackers have researched. As previously mentioned, spear-phishing e-mails are commonly used in efforts to trick the target into giving information. By tricking the victim into clicking on a link in an e-mail, this technique leads the victim to unintentionally download software, which is then used by the hacker to acquire the target’s personal identification information and thus enabling the attacker to immediately gain authorized access to and interact with the victim’s systems within minutes.
Another attack approach initiated by hackers is the use of watering holes. Hackers create an attractive website catering to the target’s particular patterns of Internet access and behaviors. The hackers then wait for the victim to access the website and come to them. Hackers will infect a specific attractively identified component with an associated download and wait for the target to download the infected files; this allows the hacker to gain the information required to enter the target company’s information systems as an “authorized” user—frequently a systems technician who has widespread access to the company’s systems, software, OSs, and database management systems.
The strategy of the hacker is to get control of an initial victim so that they can acquire credentials, understand the layout of the complete data-processing environment, gain access into a specific system, install custom-made malicious software, gain administrator credentials to go deeper into a network, establish one or more backdoors, and communicate with and eventually infiltrate an overall command and control (C&C) server. The more current the updates and fixes to all the company’s computer systems, the more difficult it is for the hackers to penetrate them once inside the target’s data-processing networks. This is a good reason to keep your computers and programs current and backed up.
Hackers withdraw intellectual property and/or your credentials from the C&C servers. They can draft your computer for later use in additional attacks such as a distributed denial of service (DDoS) in an attempt to make a machine or network resource unavailable to its intended users. The theft of intellectual property in the United States alone is measured in terabytes of data a year.
Universities are often a source that hackers will regularly penetrate to cloak their source and will route major attacks through them. Employees are prime targets for hackers to research and gain access into universities. Universities tend to be decentralized and are porous, creating perfect proxies.
Antivirus protection is something that you need to have to detect attacks early on; however, antivirus programs tend only to be speed bumps to a determined hacker. Hackers can also use zero-day attacks, which are attacks that exploit a previously unknown vulnerability in a computer application and which no antivirus can detect.
Hackers can attempt to penetrate companies by stealing and obtaining corporate passwords. With passwords obtained, hackers can gain access to the personal computers of the employees, collect information, and install custom pieces of malware.
When hackers have been discovered within a company’s systems, a key approach is to leave the hackers’ activity alone and to track that activity. By doing this, a company can learn the attackers’ methods and procedures, where they have installed malware, what that malware code looks like, and the code’s creation signatures, so that they can later identify it and its possible variations and eventually prevent a return. And then, they can share their information with other companies and the Federal Bureau of Investigation (FBI).
Many companies then create a false but attractive subsystem within their network, which has fake but apparently real and useful information so that the hacker is attracted to access that false site—termed a honeypot. The company then keeps populating that honeypot with an increasing amount of attractive information, determining which seems of interest to the hacker. From this, the company’s security personnel can create profiles of the hacker, their behavior, and their vulnerabilities, which will later prove valuable in creating monitoring tools.
The goal of a hacker is typically to harvest any points of information they can obtain. They will try to collect usernames and passwords, financial information, extortion potentials (useful for ransomware), identity hijacking, botnets, virtual goods. Botnets are a collection of infected computers that a botmaster triggers by command over the Internet to simultaneously send a flood of messages to a target site in order to overload it. This is a classic form of a DDoS attack. The “bots” are the infected computers.
Attack vectors may include
■ Spear-phishing e-mail messages
■ Phone calls that target you at home
■ USB sticks left lying around anywhere
■ Weak passwords, vulnerable machines
■ Drive-by downloads: the unintentional download of malware onto your computer which usually take advantage of a browser, application, or operating system security flaw
■ Coupon bars: web browser add-ins that analyze the websites your browser visits and may make that information available to hackers
As previously discussed, spear phishing is the most common way for hackers to attack their victims. In phishing, you (the victim) are the fish! Hackers will spear their targets with e-mails that request you to click on something that appears to be legit but provides the hackers with a vehicle to gain personal information and access to your system. All the hacker needs is one response from one victim to gain access to the targeted corporate victim. Anything can be spoofed and made to appear to be real. Phones can be spoofed to display a fake name. Wireless hotspots can be spoofed in public places.
The human is always the weakest link and the most attractive target for hacking. Hackers strike by studying the behavior of people and learning about their vulnerabilities. They strike from a distance. Third-party software is likely to be a target. Hackers create their own protocol libraries and use a set of tools to gain access. Vulnerable software may be software that the user does not even know is present on their system and is being actively executed.
Security efforts frequently involve basic binary analysis. Security experts need to be able to identify what good binary code looks like and what binary damage looks like, and they need to be able to find malware and malware damage as it exists in binary form on their computer systems. Best practice includes (1) looking at all the dynamic link libraries (DLLs, which provide a mechanism for sharing code and data) that are loaded with each application, (2) examining all exposed APIs and text strings, (3) performing a trace on all incoming packets to get a feel for the structure of the application, (4) looking for dangerous code patterns, and (5) conducting code-coverage reviews. Binary analysis can uncover potential vulnerabilities associated with basic data flow from the network, the use of bad APIs or simple backdoors traps and malware, exploitable bugs, and vulnerabilities that have not yet been discovered.
Special test programs can be employed for the purpose of placing a procedure call to application programs for the purpose of discovering coding errors and identifying security loopholes in that called software. These test programs can also discover similar exploitable loopholes in the operating system, the database software, and network software. This test process inputs massive amounts of random data, commonly termed fuzz, to the computer system in an attempt to make it crash and, in a trial and error fashion, discovers where there are errors in the software.
Hackers share and have access to the source code used by most OSs, database management systems, networking systems, and many popular applications, and they are constantly analyzing it for loopholes. Furthermore, they share what they have learned at popular websites on the dark web. Automated source-code analyzers designed to look for hacker modifications do not solve this problem and have a high false positive rate.
Defensive security approaches can be employed:
■ Carrying out manual analysis (this tends to burn out programmers rather quickly, however)
■ Employing programmers with special talent to design especially secure software
■ Moving systems to a more secure platform and OS, and using vendor-supplied hardware and software systems that are certified to be secure
Another strategy is to continually research emergent hacker behavior. Hackers maintain a pipeline of activities and post their results on dark websites. Look for
■ The protocols that are the most buggy
■ The bug classes that are hard to scan
■ The bugs that create themselves
■ Currently deployed exploitation techniques
Zero-day exploits are hacker obsessions. These are attempted by hackers on the day that the notice of the vulnerability is released to the public or even before. Sometimes, exploits are available even before the author is aware of a vulnerability or has developed corrected code. Zero-day attacks are a severe threat and are known as zero day because once the flaw is known, the programmer or developer has zero days to fix it. Modern zero-day attacks often combine multiple attack vectors and vulnerabilities into one exploit, making it difficult for forensic teams or intrusion detection and prevention systems (IDS/IPS) to identify a signature. Many of these are used only once on high-value targets. An average zero-day lifetime is around 348 days. However, a long-life zero-day exploit can exist for up to 3 years.
In the future of hacking, you can look for hackers to combine efforts using hacker teamwork. Additionally, you can look for more embedded system attacks and for far more interesting classifications of bugs and viruses.
Basic Control of Hijacking Attacks
An attacker’s goal is to take over and have hidden ownership of a target machine, such as a web server, and to execute arbitrary code on that server by hijacking an application’s control flow. One historical technique is a buffer overflow attack. Overflows are extremely common bugs in C/C++ programs executing on UNIX or Linus OSs; flaws are exploited when more data (containing malware code) is deliberately written to a block of memory, or buffer, than that buffer has actually been allocated to hold.
To exploit buffer overflows, the attackers need to know which central processing unit (CPU), OS, and code language is being used on the target machine. Buffers are blocks of memory allocated in the form of an array. When the size of an information field is not verified in terms of that provided by the OS, it is possible for a hacker to write or send an information field containing malware in the intended overflow, which will overflow the allocated buffer. If such an action takes place in a block of memory higher than that of the buffer return address, it is called a buffer overrun. An attacker will determine the return address in the memory stack by guessing the approximate stack state and inserting no operation (NOP) lines of code. The attacker then falls through the NOP lines of code to locate the return address or the malware code.
A similar problem exists when writing to a buffer within memory addresses below the allocated buffer. In this case, it is called a buffer underflow. Underflows occur much more rarely than overruns, but they do occasionally show up. A buffer overrun that injects code into a running process is referred to as an exploitable buffer overrun.
What you need to know to combat an attack is an understanding of C-language functions, the stack and the heap; and knowing how system calls (from the program to the OS) are made and executed. To find such an intended an overflow, you need to be able to run a web server on a local machine and issue malformed requests (such as requests ending in $$$$) to find overflow locations. If the web server crashes, one searches the core dump for $$$$ to determine the location of the overflow material.
More hacking opportunities exist:
■ Integer overflow: This is the condition that occurs when the result of an arithmetic operation exceeds the maximum size of the integer type used to store it.
■ Format string bugs: Print functions and logging functions are common vulnerable functions where format string bugs occur and can allow the disclosure of information. Format string problems can also be used to execute arbitrary code.
■ Dumping arbitrary memory: An exploit that can be used to print out a password file that could be manually picked up.
In order to protect their information, processing platform companies need to invest in building and purchasing a complete security tool set. Investing in tools such as StackGuard and LibSafe can enable companies to customize, protect, and defend against the efforts of hijacking. StackGuard and LibSafe are tools designed to prevent attackers from overwriting the return address and hijacking the control flow of a running program. The steps companies should take to take prevent hijacking attempts are as follows:
1. Fix bugs: Audit software with automated tools and, if necessary, rewrite software in a type safe language (such as JAVA, ML). This process is difficult for existing legacy code.
2. Concede overflow but prevent code execution.
3. Add run-time code to detect overflow exploits and halt the process when an overflow exploit is detected.
4. Data execution prevention (DEP): Prevent attack code execution by making stack and heap as non-executables.
Return-oriented programming, or ROP, is an advanced version of a stack-smashing attack. An adversary manipulates the call stack by taking advantage of a bug in the program, which is often a buffer overrun. A function that does not perform proper bounds checking before storing user-provided data into memory and accepts more input data than it can properly store indicates a buffer overrun.
If the data is being written onto the stack, the excess data may overflow the space allocated to the function’s variables and overwrite the return address. This address will later be used by the function to redirect control flow back to the caller. If it has been overwritten, control flow will be diverted to the location specified by the new return address.
Address space layout randomization (ASLR) is a computer security technique involved in protecting systems from buffer overflow attacks and preventing shellcode from being successful. In order to prevent an attacker from reliably jumping to a particular exploited function in memory, ASLR randomly arranges the address space positions of key data areas in a process, including the base of the executable and the positions of the stack, heap, and libraries.
ASLR hinders some types of security attacks by making it more difficult for an attacker to predict target addresses and address space layout randomization based on the slim chance of an attacker guessing the locations of randomly placed areas.
Just-in-time (JIT) spraying is a class of computer security exploits that circumvent the protection ASLR and data execution prevention (DEP) offer by exploiting the behavior of the JIT compiler. It has been reported to have been used to penetrate security features in the PDF format and in Adobe’s Flash technology.
By definition, a JIT produces code as its data. Since the purpose is to produce executable data, a JIT compiler is one of the few types of programs that cannot be run in a no-executable-data environment. Because of this, JIT compilers are normally exempt from data execution prevention. A JIT spray attack carries out heap spraying with the generated code. To protect against JIT spraying, the JIT code can be disabled or made less predictable for the attacker.
The first solution is to employ StackGuard, a simple compiler extension that limits the amount of damage that a buffer overflow attack can inflict on a program. StackGuard completes runtime tests for stack integrity by embedding a “canary” word next (prior) to the return address on the stack. Once this function is done, the new tear-down code verifies that the canary word is unmodified and intact prior to function return. If the integrity of the canary word is compromised, the program will terminate. StackGuard utilizes two types of canaries to defeat an attack. The first is a Random Canary, which is a 32-bit number chosen only at runtime. To corrupt that Random Canary number, an attacker needs to attempt a scan through the executable images of the code after the number has been computed and prior to the execution of the program. The second is a terminator canary made up of common termination symbols that prevent string functions from being copied into memory space. The weakness of StackGuard is that canaries do not provide full protection. Function parameters are not fully protected, frame pointers can be altered, and local variables can be controlled. ProPolice (from IBM) can be used to protect pointer args and local pointers from buffer overflow. Pointer args means “pointer argument,” where the argument attached to the pointer tells the direction that the pointer is indicating should be followed. Additionally, PointGuard can provide heap protection and protect function pointers and setjmp buffers by encrypting them. Setjmp is a C language device to provide branching (jumps) control flow that deviates from the usual subroutine call and return sequence.
Canaries are an important defense tool, but they do not prevent all control hijacking attacks. Heap-based attacks, integer overflow, and exception handling attacks are still possible. Additional tools such as/SAFESH, a linker flag of safe exception handlers; and/SEHOP, a platform defense that inserts and then verifies dummy records, are also needed.
The second solution is to employ a program such as LibSafe (from Avaya Labs), which is a dynamically loaded library designed to intercept all function calls made to library functions known to be vulnerable. A substitute version of the corresponding function implements the original function in a way that ensures that any buffer overflows are contained within the current stack frame, which prevents attackers from overwriting the return address and hijacking the control flow of a running program. The true benefit of using LibSafe is to protect against future attacks on programs that are not yet known to be vulnerable. The performance overhead of LibSafe is negligible, it does not require changes to the OS, it works with existing binary programs, and it does not need access to the source code of defective programs, recompilation, or off-line processing of binaries.
Advanced Hijacking Attacks: Heap Spraying
In computer security, heap spraying is a technique used in exploits to facilitate arbitrary code execution. The part of the source code of an exploit that implements this technique is called a heap spray. In general, code that sprays the heap attempts to put a certain sequence of bytes at a predetermined location in the memory of a target process by having it allocate (large) blocks on the process’s heap and fill the bytes in these blocks with the right values.
Heap sprays have been used occasionally in exploits since at least 2001, but the technique started to see widespread use in exploits for web browsers in the summer of 2005 after the release of several such exploits that used the technique against a wide range of bugs in Internet Explorer. The heap sprays used in all these exploits were very similar, which showed the versatility of the technique and its ease of use, without the need for major modifications between exploits. It proved simple enough to understand and use to allow novice hackers to quickly write reliable exploits for many types of vulnerabilities in web browsers and web-browser plug-ins. Many web browser exploits that use heap spraying consist only of a heap spray that is copy-pasted from a previous exploit, combined with a small piece of script or HTML that triggers the vulnerability.
Heap sprays for web browsers are commonly implemented in JavaScript, and they spray the heap by creating large strings. The most common technique used is to start with a string of one character and concatenate this with itself over and over. This way, the length of the string can grow exponentially up to the maximum length allowed by the scripting engine. Depending on how the browser implements strings, either American Standard Code for Information Exchange (ASCII) or Unicode characters can be used in the string. The heap spraying code makes copies of the long string with shellcode and stores these in an array, up to the point where enough memory has been sprayed to ensure that the exploit works.
The Final Solution to Hacking Attacks
The final protection is to employ a monitoring system, such as Rivest–Shamir–Adleman (RSA)’s ECAT Monitor, which has a large and growing file of malware signatures and behavior patterns; these are continually scanned for and trigger the planned-for response that the security team is organized to employ.
QUESTIONS
1. Hackers need to do what in order to penetrate their targets?
2. Provide two examples of how hackers attract the victim.
3. Explain what binary analysis is.
4. What makes a vulnerability a zero-day vulnerability?
5. How do hackers overwrite the return address?
6. What technique can you use to protect yourself from buffer overflow?
7. How many steps can companies take to prevent hijacking and what are they?