8/4/2019 CC-Note2

1/19

What Hackers Do?

Breaks into the network via Internet by

spoofing the identity of computers thatthe network expects to be present!

8/4/2019 CC-Note2

2/19

Modern Day Robin Hood

Most dont consider themselves as criminals

They are only making copies of software or

data and utilizing unused computerresources, CPU, disk and networking

Not depriving anyone and original copy of the

information is still where it was unaltered

Defenders of the digital frontier

8/4/2019 CC-Note2

3/19

Releasing information Hackers believe information must be free

Releasing software Disagree with software licensing policy; does not allowed

multiple copies of it on several computers although you arethe only one using them

Release crack info for license codes

Consuming unused resources Network bandwidth, computer cycles, telephone lines

Over consumption of those often lead company to buymore of these resources

Eg: David McOwen; system administrator at DeKlabTechnical College; connecting computers to Distributed.netso that the spare computing cycles could assist in acommunal code-breaking challenge;

8/4/2019 CC-Note2

4/19

Discover and document vulnerabilities

Disclose systems vulnerabilities to others

Those without skills now can make use of these info to

create their own hacking tools

Eg: Adrian Lamo; exploring the inner workings of corporate

computer networks in search of system weaknesses; had

successfully hack into Worldcom, America Online Inc.,Excite

@Home, Yahoo Inc., Microsoft Corp., and NY Times

Finding fame

Virus, website defacements

To prove their skills

Eg: Kevin Mitnick; hired in Alias tv series

8/4/2019 CC-Note2

5/19

Digital Dillinger

Information security professional must ensuresystem availability, maintain informationconfidentiality and integrity

They look at hackers as Theft of information

Hacker steal information to prove themselves

Electronic fund transfer network inviting the most attack

Intercept bank card numbers and PIN numbers Eg: Suzanne Scheller; FI employee; accessed the FI

computer system and searched for potential customersfor a friend who was starting a real estate business

8/4/2019 CC-Note2

6/19

They look at hackers as Software piracy

Many organizations secrets are contained not only in the information

they have, but are also embedded in the software that they havecreated (internal software)

Theft of these software may disclose organizations most privatesecrets

Damage to the original copy will lead to disability to continue to dobusiness

Eg: Chung-Yuh Soong a SE works for Kodak for a year before

resigning, transmitting a large data files containing softwareprograms used in Kodak digital cameras and other digital devices toXerox computer

Theft of resources Difficult to prove at court; hard to prove lost of revenues

Eg: Raymond Torricelli; known as rolex a member of a hackingorganization known as #conflict; used his PC from home to search

Internet for vulnerable computers for intrusion; located the computer,obtained unauthorized access and uploading a program that allowhim to gain complete access to all the computers functions;accessed NASA, Jet Propulsion Lab, San Jose Stat U loadinghostile program used mostly for hosting chat-room discussions, usedchat room to invite for pornographic images cost 18 cents per visit

8/4/2019 CC-Note2

7/19

Compromising systems

Will cause organizations although no damage occur

They need to spend time and resources (manpower) to findwhether there is damage or not

Hackers will apply rootkit which changes the systems

software so that it does not report his presence or his tools

Eg: Jason Allen Diekman; hack into NASA and stole and used

credit card numbers to purchase electronic equipment; gainunauthorized access to Oregon State U using a stolen student

account id; store a program to control IRC channels

Website vandalism

Most visible to attack

Stolen password accounts Websites generally selected due to hackers ability to exploit

the system, systems visibility, sites owner

8/4/2019 CC-Note2

8/19

How Hackers Do What They Do?

The process of hacking computer systems

has become automated

Many tools easily available to identify and

exploit vulnerabilities to compromise a

system

Powerful software tools for breaking into

networks are freely distributed; require littleknowledge and virtually undetectable until

damage is done

8/4/2019 CC-Note2

9/19

Malicious code

Logic bomb

Program that lies dormant until it is activated (by any event

computer system can detect)

Often time-based or based on presence or absence of data(programmers name)

Once triggered, will deliver its payload often destructive

which consume resources or delete files

Eg: Timothy Lloyd a former chief computer network

program designer for Omega Engineering; terminated andactivated a time bomb which permanently delete all of the

companys sophisticated manufacturing software programs

8/4/2019 CC-Note2

10/19

Parasite

A code which added to existing program and draws

information from the original program; will change some ofthe programs attributes such as program size, timestamp,

its permission, ownership etc

To gather information the hackers does not have privileges

A covert, nondestructive program

Trojan Horse

Program looks like a useful program that has an alternate

agenda

How it is plant? Requires social engineering need to be

advertised so that people will run it. Normally distributed as

a trial version games

8/4/2019 CC-Note2

11/19

Virus

A program that infects another program by replicating itself

into the host program; mostly destructive; some are not butwill replicate consuming resources this is called as

rabbits or bacteria

3 phases

Infection phase host is infected from a previously existing

virus

Activation phase new copy is triggered to find another host

to infect

Replication phase virus find a suitable host and copy itself to

the host

Environment where freeware is prevalent and people

regularly bring software onto your system; greater risk of

virus infection

8/4/2019 CC-Note2

12/19

Worms

A program used as a transport mechanism for other programs

Utilizes the network to spread programs from one system toanother

Utilizes flaw in a network transport such as network mail orremote process execution

3 processes

Search for receptive system

Establish connection to that system Transport its program to the remote system and execute the program

Eg: Franklin Wayne Adam created a worm that seeks computerson the Internet that have certain sharing capabilities enabled, anduses them for the mass replication of the worm; courses the harddrives to be erased; computers with hard drives not erased willscan another computers to be infected which lead thesecomputers to dial 911. caused 911 emergency system to a denialof service (overloaded)

8/4/2019 CC-Note2

13/19

Modified Source Code

Source code which is freely available and widely distributed(eg. Linux)

Skilled hackers have the ability to create their own backdoors or data capture routines

Dynamically Loadable Modules

Allow the system to load the module only when it is neededinstead of integrating it into the software program

Available at user space, shared libraries and in kernelspace Shared library - is a library of utilities that can be called from any

program

Shared library differ from archive library in that they are not loadableinto the executable program at program link time; they are pointed tofrom the executable and are executed at run time; any modificationsto the shared libraries are immediately realized by the program thatuse them

8/4/2019 CC-Note2

14/19

If a hacker replaces a utility in the shared library, all

programs which use this utility will be compromised

Thus, shared library should be given more protections Dynamically loadable kernel modules works in the

same; they are not statically link into the kernel; they are

loaded when the system that uses the module is initiated

Open the doors for hackers to install kernel level code

into the system since unload and reload of these

modules provides the ability to update modules without

having to shut down the system

8/4/2019 CC-Note2

15/19

Software developers Due to codes moved into production while it still contains

debugging information or developer hooks Need to review software design

Exploiting network protocols Hundreds of network services which hackers can choose to

attack

Internet daemon, inetd, controls some of the processes thatcommunicate over the network; it listen to each port andwhen a connection is identified, it passes control of socketto the associated program

A hacker can add a back door into a system by adding a

line in /etc/inetd.confthat will attach a shell with rootprivileges to a specific socket

hack stream tcp nowait root/bin/csh csh i

a too visible approach; easily detected

8/4/2019 CC-Note2

16/19

E-mail spoofing Most trivial of all spoofs

SMTP consists of simple ASCII commands

These commands can be easily input manually byusing a telnet connection to the systems SMTPport

telnet victim.com smtp Email forgery does not require access or

authorizations that have to be obtained improperly Once connected, hacker can type the mail protocol

command directly to the port. Identifying someone elsein the mail From: command will show the mail sentfrom the user identified. This technique can be used tosend mail to other systems by entering a To: commandto another system

8/4/2019 CC-Note2

17/19

IP spoofing The act of sending packets with source addresses other

than actual address of the originating host Either unsigned address or addresses belong to another

host

Currently no way to stop IP spoofing

The best is to stop our network from being the source of

such attack. How? The border routers should be configuredto drop any packet exiting the internal network with asource address that does not belong to the internal network

Source routing

A feature of IP that allows the packet to define the path that thereturn packet should take to find its way back to the source host

Virtually never been used since Internet utilizes dynamic routingprotocols to optimize the traffic

Mostly being used by hackers who used IP spoofing to getpackets returned so this utility should be disabled on all hosts androuters; routers should be configured to drop any packet thatcontains a course route

8/4/2019 CC-Note2

18/19

Network flooding

The process of creating more network traffic than the

network is able to process; making the network unavailableto legitimate traffic and the host that requires that network

to communicate unreachable

SYN flooding

Sends a large number of spoofed TCP connection

requests. These requests utilize data structures in the target machine

which consume memory and kernel resources and may

caused legitimate connections to be denied

Smurf

This attack used forged ICMP echo request packetsdirected to IP broadcast addresses from remote location to

generate denial-of-service attacks

3 parties involve: attacker, intermediary, victim

8/4/2019 CC-Note2

19/19

System flooding

The process of consuming a resource or resources on a

system until it makes the system unable to useful work Memory, storage, computation, buffers, queues

Mass-mailings

Mail flooding has become popular attack

Mail messages containing virus