Attack Methods and Countermeasures

• Identify and explain basic malicious code threats and common defensive mechanisms.

To design an effective defense against malicious use of your network, it's important to gain an understanding of the general and specific threats that you face in the contemporary computing environment.

We'll look at six main types of attacks: malicious code, buffer overflow attacks, denial-of-service attacks, network reconnaissance, use of hacker tools, and physical/human attacks. We'll also examine some of the countermeasures that can be applied to harden your systems against these risks.

Malicious Code

Malicious code threatens computing systems every day—it's been around in one form or another almost as long as we've used computers. You're probably at least casually familiar with many of the terms used to describe malicious code: Viruses, worms, Trojan horses, and logic bombs are some of the more commonly seen variants. We'll look at these four in detail.

Viruses

In the field of medicine, viruses are naturally occurring parasites that infect a host and cause disease. The viruses of computer science are not much different—they are parasitic segments of code that spread themselves from computer to computer by attaching to legitimate programs or portions of the operating system. One major difference between computer viruses and biological viruses is that computer viruses never occur naturally—they are always man-made.

Viruses do not necessarily have a malicious payload. In fact, a virus could do absolutely nothing except spread itself from computer to computer and still be classified as a virus because it meets the technical definition. However, the vast majority of viruses and other malicious code objects perform some type of malicious action, such as flashing annoying messages on the screen or destroying all the data stored on a host computer's hard drives.

There are three main types of viruses:

• File Viruses. Attach themselves to executable files (for example, .exe or .com files on a Microsoft-based system). Each time the host program executes, the virus is also given the opportunity to execute.

• Boot Viruses. Infect the boot sector or Master Boot Record of a Windows-based system and execute each time the system is booted. Several years ago, boot viruses were the most commonly occurring viruses. However, the recent surge of macro viruses spread via email bumped them to number two.

• Macro Viruses. Spread in two ways: through infection of macro-enabled documents or through scripts embedded in electronic mail messages. (These viruses are written in a scripting language, such as VBScript or Visual Basic for Applications.) The infamous “ILOVEYOU” virus of May 2000 was a macro virus written in VBScript that infected more than 100,000 systems and caused an estimated $1 billion in damages.

Within these classifications, viruses may also have one or more special characteristics that make them harder to detect and eradicate:

• Stealth Viruses. Utilize advanced techniques to fool virus-detection software and casual observers. For example, file viruses normally increase the size of the file they infect. However, if that virus uses stealth techniques, it might cause the operating system to return the size of the original, uninfected file when the directory is viewed.

  IN THE FIELD: THE INNER WORKINGS OF BRAIN Security experts discovered Brain, the first true stealth virus, on June 1, 1993 (according to the McAfee Virus Information Library). This boot-sector virus uses an ingenious technique to avoid detection by antivirus systems. When it infects a system, it makes a copy of the original boot sector and stores it in another location on the disk. It then traps any requests to read or write the boot sector (such as those initiated by a virus-detection program) and redirects them to the copy. This was enough to fool early antivirus programs. At the time, the only ways to discover the infection were to either use direct input/output requests to examine the contents of the boot sector or to boot from an uninfected disk and examine the infected drive.

  
  

• Encrypted Viruses. Use cryptographic techniques to hide their source code and decrease the effectiveness of signature-detection techniques. Viruses that utilize encryption are often polymorphic as well.

• Polymorphic Viruses. Modify themselves each time they are executed to avoid detection. Each variation, or polymorphism, contains different instructions (either in content or order) than its predecessors. This technique also serves to confuse signature-based virus-detection software.

Viruses have plagued system administrators since the earliest days of computing. The battle between malicious code writers and antivirus software vendors rages to this day and results in rapid changes in virus technology. Each upgrade in defensive software quickly results in a new wave of more sophisticated viruses. As of February 2002, Symantec Corporation (the makers of Norton AntiVirus) listed 58,792 unique viruses in its encyclopedia. Take this threat seriously!

Worms

On November 2, 1988, Robert T. Morris, a graduate student in computer science at Cornell University, changed the face of computer security forever. Morris unleashed a piece of malicious code that has become known as simply “The Internet Worm.” Up until that point, security was of little concern to the architects of the Internet. In fact, the Internet of 1988 consisted of only approximately 80,000 machines located at educational and scientific institutions and government laboratories.

Worms are actually quite similar to viruses. They spread themselves from system to system by exploiting security vulnerabilities. Most worms carry some sort of payload and can perform any malicious action the author desires. The major difference between the worms and viruses is that worms are executable programs in and of themselves, whereas viruses attach themselves parasitically to legitimate code residing on the infected machine.

Morris executed his worm by connecting from Cornell to a single system at MIT (apparently in an attempt to avoid having the worm traced back to his own institution). He executed the code on that system and it began to search for potential targets. Each time it found a target, it attempted to gain access to the new system by exploiting four separate security vulnerabilities in the Unix operating system (virtually all hosts on the Internet ran Unix at that time).

The first technique exploited a buffer overflow vulnerability in the finger daemon (see the “Buffer Overflow Attacks” section for further information). The second sought out systems that granted special trust permissions to the local system and attempted to use those privileges to gain surreptitious access. (This concept is covered in Chapter 8, “Operating System Security.”) The third attack utilized a back door (see the “Back Doors” section later in this chapter) in the sendmail program that relays electronic mail across the Internet. The final exploit was a dictionary attack (see the “Dictionary Attacks” section later in this chapter). Fortunately, the worm did not contain a payload and did little actual damage to the systems it affected, other than monopolizing their processor time.

A team of security experts from MIT, Purdue, and the University of California at Berkeley eventually shut down the worm, but only after it caused approximately 4,000 hosts (or 5% of the Internet) to grind to a halt. The federal government prosecuted Morris under the Computer Fraud and Abuse Act and sentenced him to three years' probation, a $10,500 fine, and 400 hours of community service.

The Morris worm is long gone and security practitioners developed and applied patches to remove the vulnerabilities it exploited. However, as with viruses, new and more innovative worms affect the Internet every year. The Sircam worm crawled its way through the ether during 2001 with a more mischievous purpose—it sent out confidential documents from the hard drives of infected machines, deleted files, and consumed system resources. Most Internet users that year received at least one message from an infected system with the signature text “I send you this file in order to have your advice.”

Trojan Horses

In Homer's Iliad, the Greek army used a hollow wooden horse to smuggle troops inside the Trojan city walls. This mistake quickly led to the destruction of the city. Today's electronic Trojan horses use a similar tactic—they consist of programs that purport to do one task (and may actually do it), but also have a more nefarious purpose behind the scenes.

For example, there is a version of Solitaire roaming the Internet that functions perfectly normally from the user's perspective. However, while the player happily shuffles cards, the Trojan horse modifies files stored on the local hard disk.

Another Trojan horse, the AOL4FREE program, first appeared in 1997 but occasionally resurfaces today. It arrives as an email attachment promising users that if they execute it, it will modify their America Online (AOL) software so that it avoids monthly charges. In reality, it displays an error message on the screen and destroys all contents of the user's C: drive.

Logic Bombs

Logic bombs are malicious code objects that lay dormant on a system until one or more predetermined conditions occur. After circumstances take place that satisfy those trigger criteria, the logic bomb leaps into action and delivers its payload.

Logic bombs can take the form of any malicious code object—viruses, worms, and Trojan horses can all contain special code elements that transform them into logic bombs. For example, the Michelangelo virus that caused a media frenzy in 1997 contained a logic bomb component that threatened to wipe out systems on March 6th, the birthday of the famous artist.

Trigger criteria can consist of requirements much more complex than a certain calendar date. For example, a system administrator in fear of losing her job might bury a logic bomb deep inside a file server that checks each morning to ensure that the system administrator's account still exists. If the account is missing (presumably as a result of the administrator's termination), the bomb might wait several days and then delete or modify files critical to the business.

Countermeasures

When it comes to malicious code defense, knowledge is definitely power! If you're involved in security administration, it's critical that you take the time to keep current on the latest threats and countermeasures.

Viruses and worms can often be blocked through the use of a good virus-protection program along with a virus-definition update subscription. If you're protecting a small computing environment, you'll be well served by purchasing copies of an inexpensive desktop virus-protection program from a software retailer. If you're operating in a more complex environment, you may want to consider an enterprise virus-protection solution, possibly with a 24-hour support option.

Trojan horses are more difficult to defend against—you must set and enforce firm policies regarding the importation and use of software. Cleverly designed firewall rules can also limit the damage done by a Trojan horse—should it be successfully introduced into your network.

Logic bombs are arguably the most dangerous malicious code threats and the hardest to protect against. Any technically competent individual in your organization can create one and many can evade common security protections. In fact, there are a number of virus-creation toolkits available today that make it extremely simple to create a brand-new piece of malicious code. It's best to use smart hiring practices, especially when you're seeking to fill technical positions that involve a high degree of trust. Be sure to check references and account for any gaps in employment histories. If you have software developers on your staff, ensure that they follow good software engineering practices and that several sets of eyes examine any code before it reaches a production environment.

Remember that a good backup strategy is the cornerstone of any disaster recovery plan. In the worst-case scenario, in which malicious code destroys your organization's data, you'll need to resort to the backup tapes to minimize your losses.

Buffer Overflow Attacks

Operating systems and applications utilize temporary memory spaces known as buffers to store user input and the results of intermediate processing actions. Programmers create these buffers by setting aside a predetermined portion of the system's memory when they write the program. It is then their responsibility to ensure that the buffer is used properly and that the program never tries to overfill the buffer.

For example, a program might need to store a filename in memory during a computation. The programmer sets aside a portion of memory deemed sufficient to hold the filename—say, 20 characters. Throughout the remainder of the code, the programmer must verify that any information placed into that buffer is 20 characters or fewer. This process is known as bounds checking and is an essential software engineering practice. If the program attempts to place 21 characters into the buffer and bounds checking does not prevent this placement, the buffer goes into an overflow state, in which the program writes values into memory spaces that do not belong to it and may be allocated for a different purpose. This results in unpredictable computer behavior and is the principle behind a large number of known computer security vulnerabilities.

In this section, we examine two of the more fertile breeding grounds for buffer overflow attacks—Web applications and operating system components.

CGI and Web Code

The early pioneers of the Web created the Common Gateway Interface (CGI) to foster the development of truly interactive Web content. CGI, along with newer technologies such as Personal Home Page tools (PHP) for Unix/Linux systems and Active Server Pages (ASP) for Microsoft servers, allows for the creation of dynamic Web pages that alter their content based upon user input (from a form, for example).

These technologies facilitate the rapid development of Web code by novice developers armed only with a programming book and a vision. Although this is a wonderful selling point for software vendors, it's a nightmare for security-conscious system administrators. These same developers often possess little or no familiarity with security issues and aren't aware of the potential ramifications of a buffer-overflow vulnerability. Code developed by novices rarely incorporates bounds checking and leaves the doors of the server wide open to malicious intruders.

Operating System Components

Custom code is not the only source of buffer-overflow vulnerabilities. In fact, there are many documented cases of operating system components and commercial applications with potentially disastrous security flaws.

Many of the known vulnerabilities occur in components of the Unix and Windows operating systems that provide services to Internet clients. One of the more notorious culprits is the Berkley Internet Name Domain (BIND) code that provides a Domain Name System (DNS) implementation for many Unix systems. In fact, there are so many documented flaws in the BIND code, the SANS Institute named it first on their list of the “Ten Most Critical Internet Security Threats.” (CGI and other Web code with buffer-overflow vulnerabilities finished a close second.)

These vulnerabilities are not restricted to Unix systems, however. During the summer of 2000, Microsoft released a security bulletin detailing an egregious buffer-overflow vulnerability embedded in the code of its Outlook email software. You'll learn more about this vulnerability in Exercise 7.1.

Countermeasures

Quite simply, there is no excuse for a buffer-overflow vulnerability. Each and every one is the result of sloppy programming and failure to implement proper bounds-checking procedures.

Administrators responsible for Web servers should stress the importance of bounds checking upon their Web developers. It is a wise practice to develop a written set of procedures detailing who must authorize changes to specific pieces of code before they reach a production environment. For more details on this topic, see the section “The Importance of Change Management” in Chapter 3, “Information Security Basics.”

Operating system and application flaws are inherently more difficult to combat because front-line administrators do not have access to (nor would they likely understand!) the thousands of lines of source code that comprise most modern operating systems. Administrators should be certain to subscribe to vendor-specific security-alert mailing lists and update their systems when the vendor releases security patches.

Denial-of-Service Attacks

Denial-of-service (or DoS) attacks allow a malicious individual to prevent authorized users of a computer or network from making use of those computing resources. DoS attackers do not necessarily want to gain illegitimate access to a system—they simply want to deprive everyone else from obtaining access. There are literally hundreds of types of DoS attacks in cyberspace and new ones appear every week. In this section, we take a look at four classic attacks that are often used as examples within the security community—Smurf, SYN floods, Land, and Teardrop.

Smurf

The Smurf attack and its variants exploit vulnerabilities in the Internet Control Message Protocol (ICMP) ping functionality (see Chapter 2, “Fundamentals of TCP/IP,” for details on ICMP) to create a massive influx of traffic that clogs a network and overloads the targeted host. Smurf attackers fabricate a false ICMP packet that uses the address of the targeted host as the source and a network broadcast address as the destination. This causes every machine on the destination network to return a packet to the victim.

For example, suppose an attacker with IP address 12.8.1.101 decided to launch an attack against a machine located at 129.75.16.12. The attacker happens to know that there is a vulnerable third-party network located at 212.16.18.0 to use as a staging point for the attack. The attacker then utilizes a packet-crafting utility to send an ICMP Echo Request (or ping) packet with a source address of 129.75.16.12 and a destination address of 212.16.18.255. Every host on the third-party network receives this packet and dutifully responds to the “originator” (actually the victim) with an ICMP Echo Reply packet. Assuming that the third-party network is fully populated, this single-packet attack results in 254 replies bombarding the victim.

Of course, in a real denial-of-service attack, the attacker launches many attack packets, possibly exploiting several different third-party networks. Each one of these packets is magnified by the use of the broadcast destination address and the victim is quickly overwhelmed by the influx of traffic. At best, the target computer (and most likely every other host on the same subnet) experiences significant difficulty connecting to the Internet. At worst, the rapid-fire traffic could completely overwhelm the target's operating system and cause a complete crash.

SYN Floods

As you learned in Chapter 2, the TCP/IP protocol uses a three-way handshake to set up connections between two systems. Recall that, in a standard connection, the initiating host sends a packet to the destination host with the SYN flag set. The destination then responds to the initiator by sending a packet with both the SYN and ACK flags set. Finally, the initiator completes the connection setup by sending a packet with the ACK flag set.

When the destination host receives the first packet, it sets aside a small amount of memory to store information about the connection. If the handshake isn't immediately completed, it maintains the half-opened connection for a specified period of time until it expires and the memory is released. This provides some degree of protection against network connectivity issues—if the path between two hosts is slow or congested, the handshake is provided with a buffer period in which it can complete.

However, this also results in a serious protocol vulnerability that led to the SYN Flood series of attacks. In these attacks, a malicious host sends an extremely large number of SYN packets to all the low-numbered (for example, less than 1,024) ports of the victim. This quickly overwhelms the target host, preventing the initiation of legitimate TCP/IP connections and causing excessive consumption of memory and processing resources. Fortunately, most vendors offer security patches/updates that limit the effectiveness of this type of attack.

Land

The Land attack also utilizes SYN packets in a malicious manner. In this situation, the attacker artificially creates TCP/IP packets that have identical source and destination address/port pairs—this type of packet would never be seen on a healthy network. When certain operating systems receive Land packets, they are unsure how to process them and enter an infinite looping situation.

A successful Land attack results in a complete crash of the operating system and requires a manual reboot by the administrator to restore the system to working order.

Teardrop

When a networking device encounters a packet that is too large for transmission, it breaks it up into fragments and uses a fragment numbering and offset system to facilitate reassembly at the destination. The Teardrop attack takes advantage of the vulnerability in this mechanism by artificially creating packet fragments with unexpected values in the offset field. Specifically, this attack creates fragments that contain overlapping offsets that confuse the receiving system.

It's easiest to comprehend this attack by considering an example. Suppose a router receives a packet of length 12 destined for a specific host. The network path between the router and the destination host allows only the transmission of packets of length 5. The router is then required to break the packet into fragments for transmission to the destination. The first fragment consists of the first 5 units of data. Its length is 5 and the offset is 0. The second fragment consists of the second 5 units of data. Its length is 5 and the offset is 5 (indicating that the first unit of data should be placed in position 5 when the target reassembles it). The third fragment contains the last 2 units of data. Its length is 2 and the offset is 10.

When the destination host receives these fragments, it uses the length and offset information to reassemble the fragments into the original packet and then continues with normal processing of the packet. See Figure 7.1 for a visual example of a Teardrop attack.

In the Teardrop attack, the destination host receives fragments that contain overlapping offsets. Using the previous example, the offset for the second fragment might be set to 4. This causes the two fragments to overlap (two data units are attempting to occupy position 4—the last unit of the first fragment and the first unit of the second fragment) and may result in a fatal operating system error.

A variation of this attack uses nonadjacent fragments to cause similar problems. In this variation, the offset of the second packet might be set to 6. This creates a gap in the reassembled packet because no data unit occupies position 5.

Notice that there's a large difference between the types of denial-of-service attacks discussed in this section. The Smurf and SYN Flood attacks utilize a “brute-force” approach to denying others the use of computing resources. To put it in simple terms, they hammer away at the target system until it can no longer efficiently process legitimate requests. The Land and Teardrop attacks, on the other hand, consist of cleverly designed packets that cause an operating system failure. A fair analogy is to compare the former type of attack to a massive ground assault on a target and the latter to the use of a single bullet by a trained assassin.

REVIEW BREAK Table 7.1 reviews the types of attacks previously covered and their mechanisms of action. Table 7.1. Denial-of-Service Attacks Attack Type Mechanism Smurf Spoofed ping packets to broadcast addresses SYN Flood High volume of unacknowledged SYN packets Land Packet with identical source and destination addresses Teardrop Overlapping packet fragments

Countermeasures

The most important countermeasure in the prevention of denial-of-service attacks is one you've already seen—ensuring that your operating system is up to date and all necessary security patches are applied. Many DoS attacks (such as the Land attack) depend upon specific operating system vulnerabilities; simply updating your OS version prevents them from affecting your system.

It's also extremely important to ensure that your network defense strategy includes some sort of antispoofing mechanisms. These filters are usually found at routers and firewalls and block packets with local source addresses from entering the local network from the outside. For example, if you are operating the 129.75.0.0/16 network behind a firewall, all network traffic originating from a host with an IP address in that subnet should originate on the internal side of the firewall. If a packet arrives from the outside with a local source address, it was probably spoofed and should be dropped.

Egress filtering is a close relative of antispoofing rules—it ensures that traffic leaving a local network bears a source address valid on that network. This doesn't necessarily help prevent attacks on systems within the protected network, but it's a “good-neighbor” practice that reduces the possibility that the local network could be used as a jumping-off point for attacks on other networks.

Network Reconnaissance

In a military campaign, maps and charts that reveal the positions of troops and equipment are often among the most closely guarded and highly classified secrets. This is for good reason—if the enemy knows where to find your high-value targets and the position of your defensive arrangements, it makes attack planning much easier. This analogy carries through to the defense of a computer network—if hackers know the topology of your network and the placement of your firewalls, intrusion detection systems, and other devices, they will have a much easier time penetrating and exploiting your network.

In this section, we look at three specific network reconnaissance techniques—IP sweeps, port scans, and signature detection.

IP Sweep

IP sweeps allow an intruder to determine which hosts are present on a network. It consists of a simple network scan in which a series of “hit-or-miss” ping packets are sent to every possible IP address on a subnet. The default behavior of most operating systems is to reply to these packets with an acknowledgment thereby revealing their presence on the network. The intruder then simply needs to make a list of hosts that responded to the ping requests and they're left with a targeting list.

IP sweep attacks are extremely easy to implement—in fact, no special software is required for the patient spy who is willing to simply type in each IP address. However, user-friendly software packages that automate the process are freely available for download at numerous Internet sites.

It's worth mentioning that IP sweeps can be used for good as well as evil. Network administrators should run periodic IP sweeps to check a network for unauthorized hosts that may have been placed on the network without the knowledge of the IT staff.

Port Scans

The port scan technique is similar in mechanism to an IP sweep but differs in objective. As with IP sweeps, port scans use an automated procedure to scan across a series of addresses. However, instead of targeting a network with ping packets to obtain a list of responding hosts, port scans target a single system with a series of packets aimed at various port addresses. The results provide the potential intruder with a partial list of services running on the system.

For example, a malicious individual might run a port scan against a machine and determine that services were running on ports 25, 80, and 110. After consulting a list of well-known ports, the intruder would then know that the particular host was most likely running WWW, SMTP, and POP3 services—three particularly vulnerable network services.

Like IP sweeps, port scans can also be put to benevolent use on a network. They are an extremely useful tool for system administrators searching for security loopholes resulting from either misconfigured machines or unauthorized servers running on a LAN.

Signature Detection

Signature detection tools allow infiltrators to identify specific services running on a machine with more detail than the information obtained from a port scan. For example, a port scan might report only that a specific host is running a service on port 80. A signature-detection tool might be able to identify that the machine is running Microsoft IIS on that port and might even be able to identify the specific software version in use.

These tools perform what is known as signature analysis. They examine the ways different software packages interact with clients and look for specific patterns (or signatures) that identify particular packages or versions. In some cases, this is quite simple—the server might actually identify itself in response to a specific query. In other cases, the clues are more difficult to piece together. Suppose Microsoft discovered a bug in IIS that caused it to improperly respond to a certain request and then fixed that bug in IIS 4.0. A signature-detection package might send that specific request to a known IIS server and check the response. If the correct response is received, that machine is probably running IIS 4.0 or later. If an incorrect response is returned, it would follow that the machine is running an earlier version of IIS.

The information returned by signature-detection tools is critical to a potential attacker. If the manufacturer and version number of a service are known, it's relatively straightforward to check a database of known vulnerabilities to determine the best method of penetration.

Countermeasures

A properly configured firewall is one of the best defenses against network reconnaissance. Network administrators can stymie a large percentage of mapping attempts by simply blocking external hosts from passing ICMP requests to the internal network. If the “deny everything that is not specifically authorized” principle is followed, most other reconnaissance attempts can be stopped before they even reach their intended destination. As an added layer of protection, individual hosts can be configured to ignore ICMP requests as well.

If it's within your operating budget, a quality intrusion detection system (IDS) can also provide you with valuable real-time reporting information on network reconnaissance attempts. By monitoring the current level of activity directed against your network, you'll be able to direct just-in-time response mechanisms to react to emerging threats.

System administrators often underestimate the importance of detecting and preventing network reconnaissance. Keep in mind that these techniques are often used in the days and weeks leading up to a planned penetration as the attacker probes your network for weaknesses and assesses the vulnerabilities of different access points. If your intrusion detection system picks up increased reconnaissance activity, it's probably a good idea to raise your level of vigilance and be on the lookout for other types of malicious activity. Intrusion detection is covered in Chapter 4, “Intrusion Detection and Prevention.”

Network reconnaissance tools are freely available on the Internet and it's common knowledge that a large number of “script kiddies” use them to search a network for vulnerable hosts. Utilizing a combination of the three tools mentioned previously can quickly and easily lead an unsophisticated hacker to a vulnerable system.

For example, imagine a miscreant (we'll call him Joe Cracker) who downloaded a program that exploits a specific vulnerability in a specific version of the Apache Web server. Joe could then run an IP sweep against several large networks to come up with a list of potential hosts. Our friend is looking for a Web server, so he could quickly narrow down that list by running a port scan against all those hosts and making a list of those running services on port 80. At this point, Joe has managed to quickly and easily develop a list of Web servers on the target network(s). In the final step of the reconnaissance package, he uses a signature-detection package to locate a host running that specific version of Apache and then launches the attack script he downloaded against it.

The moral of the story is that you must, must, must keep current with operating-system and application security patches. If you're running outdated software versions with known vulnerabilities, it's simply a matter of time before the script kiddies come after your system.

Hacker Tools

Many communities of technical experts share common toolkits they use to increase efficiency and exchange knowledge and lessons learned. Doctors read medical journals and follow standard practices of differential diagnosis. Accountants strive to adhere to the Generally Accepted Accounting Principles (GAAP). Although much more loosely organized, the hacking community also maintains contact and shares the tools of the trade among practitioners.

It's extremely important that security professionals be aware of the tools currently in use and learn to recognize the telltale signs of their use. In fact, I strongly encourage administrators to obtain as many of these tools as possible to test their own systems. After all, it's much easier to develop a strong defense when you have the other side's playbook!

Dictionary Attacks

Many operating systems store user passwords in an encrypted file located on the local hard drive or on a networked server. The encryption scheme is often strong enough that it is virtually impossible to directly break the encryption scheme and read the passwords, but other vulnerabilities in this technique expose weak passwords to malicious hackers.

In a dictionary attack against a Unix system, the hacker obtains a copy of the /etc/passwd file (which is usually readable by all users of a system) and then feeds it into an automated dictionary analysis system such as Crack. (See Chapter 8 for further details on the /etc/passwd file.) This program takes a dictionary of commonly used passwords and encrypts each password using the standard password algorithm. It then compares the encrypted dictionary words to the /etc/passwd file. If it finds a match between the dictionary and the password file, it reports the userid and the plaintext password (from the dictionary) to the hacker who can then use it to log on to the system.

Network Sniffers

Network sniffers enable administrators to look at the actual packets traveling across a network. They are an invaluable tool when troubleshooting a pesky connectivity or configuration issue, but they also pose a significant risk when placed in the wrong hands.

Many poorly designed applications and protocols (such as Telnet and FTP) transmit user authentication information in clear text across the network. Unfortunately, the authentication information used by these programs often mirrors the authentication credentials used by the network operating system. Therefore, by sniffing packets long enough, a hacker can harvest username/password combinations right off the wire.

Even if secure authentication systems are in place and the hacker is not able to discover passwords, there is still valuable intelligence to be found by monitoring a network. There's an entire discipline known as traffic analysis that is dedicated to uncovering important meanings behind patterns and trends in network usage data.

For example, suppose the CEO of your company uses a certain workstation. If a hacker discovered that fact (perhaps the NetBIOS name of the workstation is CEO), he could then use network sniffing software to determine with what other machines (both on the LAN and the Internet) the CEO's computer communicates. It would be trivial for a hacker to quickly determine which file server houses the CEO's working documents. That certainly makes a juicy target for further hacking activity. The hacker could also specifically target that machine for intensive monitoring and pull inbound and outbound email off the wire as the CEO communicates with employees, colleagues, and business partners.

Back Doors

Back doors are often written into programs by software developers seeking to simplify the debugging and troubleshooting process. They utilize a hard-coded password or another shared secret to bypass normal authentication and security mechanisms. Back doors are a valuable tool while code is still in the development process, but occasionally programmers neglect (intentionally or unintentionally) to remove them before moving the code to production.

The presence of back doors in an operational environment poses a significant risk to computing systems, especially because they are normally undetectable and often bypass standard auditing and logging mechanisms.

Rootkits

When attempting to gain illegitimate access to a system, hackers often obtain the password to a standard user account, rather than an account with root privileges (see Chapter 8 for more detail). Over the years, hackers developed a variety of sophisticated techniques to assume root access after gaining normal user access to a system. To simplify this process, they developed automated systems for exploiting common vulnerabilities. These software packages are known as rootkits.

Postattack analysis of audit logs often reveals a common pattern that is the signature of rootkit usage:

Security Toolkits

Software vendors and security organizations often release automated toolkits (known as vulnerability scanners) that scan for and report common vulnerabilities on a network. Two of the more famous toolkits are the Security Administrator's Tool for Analyzing Networks (Satan) and its successor, the Security Administrator's Integrated Network Tool (Saint). In the right hands, these toolkits provide administrators with a quick and easy way to assess the security posture of an entire network. On the other hand, when placed in the wrong hands, these tools provide hackers with a quick and easy way to probe a network for vulnerable weak spots when planning an attack.

Countermeasures

Many hackers boast that they are able to obtain at least 50% of the valid passwords for a system simply by running Crack or a similar utility. The widespread distribution of these tools makes it essential to instruct users to use difficult passwords. Consult Chapter 8 for more detail on what constitutes a strong password.

Operating systems often provide features that make it easy to enforce basic password requirements (such as not making the username and password exactly the same or requiring a digit in the password). However, your best bet to ensuring secure passwords is to use the same tools the hackers use—download a copy of Crack and run it against your system. You'll probably be surprised at the number of accounts to which you gain access. Speak with those users, explain the reason their password was weak, and ask them to select a stronger password.

This general advice also applies to tools such as Satan and Saint. By running these tools against your own system, you might discover some gaping holes in your security defenses. After all, it's much better that you discover these holes on your own rather than having a hacker discover them for you!

Network sniffers require special security arrangements on individual machines as well as on the network as a whole. To run a sniffer properly, the network interface card (NIC) on the client machine must be placed into “promiscuous mode.” This special mode instructs the NIC to examine all packets that pass by it, even if the packet is not specifically addressed to that interface. When configuring network clients, it's important to ensure that normal users do not have the permissions necessary to place an interface into promiscuous mode. It's a good idea to go a step further and remove any network-sniffing software from clients that will be used by the general population.

An even better method to prevent this type of attack is to ensure that the client machines can't physically see packets that are not addressed to them. This is made possible through the use of network-switching technology in place of the less expensive hubs that connect many Ethernet networks. Switches route packets intelligently rather than broadcasting them to the entire network. Unless a hacker manages to install sniffing software on a router or the switch itself, they won't have very much traffic to look at!

Physical/Human Attacks

All too often, security administrators focus on preventing and detecting highly technical electronic attack mechanisms and fail to pay adequate attention to the risks that low-tech techniques pose to their systems.

Dumpster Diving

You can learn a great deal about someone by taking a look at their trash. In fact, if you speak to any private investigator, you'll probably learn that one of the first techniques they use is to swing by a target's house on trash day and make a pickup (if it's possible to do so without trespassing).

Hackers have also discovered the usefulness of this technique, but they're often not as concerned as licensed investigators about the legal niceties of trespassing. In a trip commonly known as Dumpster diving, they'll root through the trash of large businesses seeking out password lists, network topology diagrams, security documents, and just about anything they can get their hands on that will assist them in penetrating a corporate network.

Fake System Administrators

The fake system administrator ploy is one of the oldest social engineering attacks in use by the hacking community. There are hundreds of variations, but the general theme involves obtaining a telephone directory for a large organization (possibly through Dumpster diving) and placing a series of phone calls to end users of computing systems. The typical conversation goes something like this:

Hacker: “Hi, this is Joe Anderson from IT. Are you having any problems with your system?”

User: “No, everything seems to be fine.”

Hacker: “Have you noticed any strange activity over the past few weeks? Maybe your system has seemed a little slower than usual?”

User: “Actually, now that you mention it….”

Hacker: “That's what I thought. We're currently tracking down a problem with certain accounts. Let me check out your file space. What's your username?”

User: “jdoe”

Hacker: “And your password?”

Ninety-nine times out of a hundred, these attempts fail because most users are educated enough to not provide their password over the telephone. However, social engineers are extremely persistent and simply keep making calls until they find that one weak link in the chain. After they've gained the username and password of an authorized user, they often use that account to install a back door, rootkit, or other hacker tools to gain increased access to the system.

Physical Assault

All the technical security measures in the world won't do you any good if you leave the door to your server room unlocked—an intruder can simply walk in, grab your entire system, and walk out the front door! For this reason, security professionals must plan physical security measures alongside technical security measures.

When you're developing your physical protection plan, be sure to consider as many threats as you can conceive. For example, if an attacker simply wants to shut down your business, a fire set by throwing a Molotov cocktail through the window is just as effective as stealing equipment from the server room.

Countermeasures

When you're combating Dumpster diving and social engineering, education is your most powerful ally. Offer initial computer security training to all employees during your organization's new-hire orientation program. Follow that training with periodic refresher courses that update employees on new security policies and provide a friendly reminder of the training they received on their first day.

During these training sessions, explain the threats that social engineering and Dumpster diving pose to your organization. Instruct users to change their passwords frequently and to never write them down. Let them know that no legitimate system administrator will ever ask for their password and they should report to the security staff any attempts to elicit their password. If your help desk reports a wave of social engineering attempts across your organization, send out an alert email message to all employees warning them of the threat and reminding them of good security practices. Take every opportunity you can find to stress the importance of security to your organization's overall success.

The extent of your physical security arrangements depends upon the sensitivity of your data and the level of perceived threat. Your plan may include some of the following measures:

• Access Control Devices. Range from a simple lock on the door to sophisticated biometric devices that use fingerprints, retinal scans, and voiceprint patterns to identify personnel before granting access to sensitive facilities.

• Surveillance Devices. Keep an eye and ear on your sensitive areas 24 hours a day. If you're with a large organization, you may want to have the devices monitored by a security guard at the front desk. If the building is unmanned during the evening hours, you may want to attach motion detectors to a system that pages responsible personnel when an alarm is triggered.

• Environmental Monitors. Don't neglect to consider the devastating effect that a fire, flood, or other disaster (whether natural or man-made) might have on your systems. Environmental monitoring systems can provide a relatively inexpensive early warning of physical threats and could even provide insurance discounts.