Hacking Techniques - An Introduction for Business Owners and Decision Makers
-
Upload
kfogalin2449 -
Category
Documents
-
view
1.064 -
download
0
description
Transcript of Hacking Techniques - An Introduction for Business Owners and Decision Makers
Hacking Techniques:
An Introduction for Business Owners and Decision Makers
by Ken Fogalin
Capella University School of Technology
TS5508 Enterprise System Security
Instructor: Steven Brown
November 28, 2004
Hacking Techniques: An Introduction for Business Owners and Decision Makers
Abstract
This paper reviews the literature on the threats and attacks that target online business. It
reviews the basic tools, techniques and processes used by hackers and other online adversaries.
The basics of using malicious code, exploiting network protocols and exploiting known
vulnerabilities are covered. In addition, emerging attacks, such as blended or multi-vector
attacks are discussed with examples of real attacks such as Code Red, Nimda and Klez being
described. This paper describes how hackers use a methodical and very predictable process that
starts with a detailed reconnaissance and progresses through various phases such as gathering
information, gaining access, acquiring privileges to control the network, and avoiding detection.
Finally, some basic protection and security practice recommendations are presented.
Understanding the information presented in this paper will help business owners and decisions
makers protect their company assets.
© Ken Fogalin 2
Hacking Techniques: An Introduction for Business Owners and Decision Makers
CONTENTS
Abstract............................................................................................................................................2
INTRODUCTION...........................................................................................................................5
CHARACTERISTICS OF DIGITAL CRIME................................................................................7
Automation..............................................................................................................................7
Action at a Distance.................................................................................................................7
Technique Propagation............................................................................................................7
CLASSES OF DIGITAL ATTACKS..............................................................................................8
Criminal Attacks......................................................................................................................8
Publicity Attacks.....................................................................................................................8
Legal Attacks...........................................................................................................................9
ADVERSARIES: WHO IS ATTACKING YOUR NETWORK?................................................10
Objectives..............................................................................................................................10
Access and Resources............................................................................................................10
Expertise................................................................................................................................11
Risk........................................................................................................................................11
Understanding Your Adversary.............................................................................................11
PROFILE OF A HACKER: WHY THEY DO IT.........................................................................12
Money....................................................................................................................................12
Entertainment........................................................................................................................13
Ego.........................................................................................................................................13
Cause (Ideology)...................................................................................................................14
Entrance to a Social Group....................................................................................................15
Status.....................................................................................................................................15
TOOLS AND TECHNIQUES: HOW HACKERS DO WHAT THEY DO.................................16
© Ken Fogalin 3
Hacking Techniques: An Introduction for Business Owners and Decision Makers
Malicious Code......................................................................................................................16
Exploiting Network Protocols...............................................................................................17
Exploiting Vulnerabilities.....................................................................................................18
Password Cracking................................................................................................................19
Multi-vector Attacks..............................................................................................................20
THE HACKING LIFECYCLE: A METHODICAL PROCESS...................................................22
Phase 1 - Reconnaissance......................................................................................................22
Phase 2 - Gathering Information...........................................................................................23
Phase 3 - Gaining Access......................................................................................................25
Phase 4 - Acquiring Privileges..............................................................................................28
Phase 5 - Avoiding Detection................................................................................................29
Realizing the Goal.................................................................................................................29
FINAL THOUGHTS AND RECOMMENDATIONS..................................................................30
CONCLUSION..............................................................................................................................32
References......................................................................................................................................34
Appendix A annotated bibliography.............................................................................................35
© Ken Fogalin 4
Hacking Techniques: An Introduction for Business Owners and Decision Makers
INTRODUCTION
The digital threats of cyberspace are not very different from the flesh-and-blood, bricks-
and-mortar, real world threats (Schneier, 2004). Like the real world, cyberspace has
communities filled with commerce, agreements, contracts, disagreements, and threats that mirror
the threats in the physical world. Threats like embezzlement, bank robbery, theft, racketeering,
vandalism, voyeurism, exploitation, extortion, con games, fraud, and invasion of privacy are all
evident in cyberspace. In other words, the threats against digital systems are basically the same
as the threats against real-world physical systems. Although the threats will be the same, the
methods of attack will be very different because cyberspace changes everything. Attacks in the
digital world will be more common, more widespread, and more devastating (Schneier, 2004).
According to the CSI/FBI Computer Crime and Security Survey (Gordon et al, 2004),
virus attacks and denial of service (DoS) attacks have started to outpace the theft of proprietary
information. The annual costs to business resulting from viruses have jumped to $55 million.
Network intrusions are on the rise, but the percentage of organizations reporting computer
intrusions has actually declined because of the concern for negative publicity.
Both the Computer Emergency Response Team Coordination Centre (CERT-CC) and
Internet Security Systems (ISS) have documented the constant rise in the number of reported
vulnerabilities. In their 2001 annual report, CERT-CC reported 2,437 vulnerabilities, compared
with only 774 in their 2000 annual report. The ISS reported 537 new security vulnerabilities in
software for the first quarter of 2002 (Goetz, 2002).
For the period of January 1, 2004 to June 30, 2004, Symantec reported the average time
between the announcement of network or software vulnerabilities and the appearance of the
associated code to exploit the vulnerability was only 5.8 days. Once exploit code is made
© Ken Fogalin 5
Hacking Techniques: An Introduction for Business Owners and Decision Makers
available, hackers can widely scan for and exploit the vulnerability very quickly. This danger is
made worse if the application, in which the vulnerability is found, is widely deployed, such as
Web server or database applications. During this period, Symantec observed that worms had
compromised 40 percent of Fortune 100 companies. Furthermore, the e-commerce industry was
the most frequent target with 16 percent of e-commerce sites being targeted - a dramatic increase
from the last six months of 2003, during which only four percent of e-commerce sites were
targeted. Other alarming statistics indicate that 39 percent of the disclosed vulnerabilities
targeted Web application technologies and 82 percent of these were considered easy to exploit
(Symantec Security, 2004).
The digital threats to business are ever increasing in frequency and complexity.
Therefore, it is prudent for business owners and decision makers to be aware of the online
threats. They should know who their adversaries are and how such threats could affect their
organization. This paper will focus on the types of attacks that a business owner should
anticipate. First, this paper will explain the characteristics of the Internet that make attacks so
prevalent. Then it will describe adversaries, in broad terms, and give a detailed profile of a
hacker so you can understand who your enemy is and what motivates him to attack your
network. Following this, the heart of this paper will describe exactly how hackers attack
systems, giving examples and explanations of the tools and techniques they use to compromise a
network and avoid detection. This section may be particularly useful for system administrators
as well.
This paper is about basic concepts that business owners and decisions makers can
understand. It offers the knowledge they need to understand cyber attacks so they can effectively
communicate with their security team and develop effective security policies.
© Ken Fogalin 6
Hacking Techniques: An Introduction for Business Owners and Decision Makers
CHARACTERISTICS OF DIGITAL CRIME
The Internet has introduced three new characteristics into the area of crime: automation,
action at a distance, and technique propagation.
Automation
Automation makes attacks with a minimal rate of return profitable. Previously, attacks
there were just too marginal to notice in the physical world can quickly become a major threat in
the digital world. For example, if a thief was successful in picking someone’s pocket once every
hundred thousand times, he would starve before he could rob anyone. However, in cyberspace, a
thief could set his computer to look for the one-in-a-hundred-thousand chance and would
probably find a couple of dozen every day. If a thief could enlist other computers to assist, he
might get hundreds (Schneier, 2004).
Action at a Distance
The Internet has no borders or boundaries. Every two points are adjacent, whether they
are across the hall or across the planet. If a criminal does not like the censorship laws or
computer crime statutes of his country, he could find a country more to his liking. This means
that attackers do not have to be anywhere near their prey, and this will complicate criminal
investigation and prosecution (Schneier, 2004).
Technique Propagation
Successful techniques can easily propagate through the Internet. The Internet is also the
perfect medium for propagating successful attack tools. Only the first hacker requires the skills
to commit the attack; everyone else can just use his software. Furthermore, once the tool is
released, it is impossible to control. For example, dozens of Internet sites allow you to download
viruses, virus construction kits, and virus designs (Schneier, 2004).
© Ken Fogalin 7
Hacking Techniques: An Introduction for Business Owners and Decision Makers
CLASSES OF DIGITAL ATTACKS
There are three broad classes of attacks: criminal attacks, publicity attacks, and legal
attacks. The last two are probably the more damaging (Schneier, 2004).
Criminal Attacks
Criminal attacks aim to achieve maximum financial return. Attackers vary from lone
criminals to sophisticated organized crime syndicates, from insiders looking to make some fast
money to foreign governments looking to wage war on a country’s infrastructure (Schneier,
2004). These attacks take the form of fraud, scams, destructive attacks, intellectual property
theft, identity theft, and brand theft (Schneier, 2004).
Publicity Attacks
Publicity attacks aim to get the attacker public attention. Attackers are generally skilled
hackers who know a lot about systems and their security. They often have access to significant
resources (either as students of large universities or as employees of large companies). They
usually do not have a lot of money, but do have a lot of time. Furthermore, they are not likely to
do anything that will put them in jail. A good example of this type of attack was the two
Berkeley graduate students who broke Netscape Navigator’s encryption scheme in 1995. They
did not use this weakness for monetary gain; instead, they called the New York Times. The
system designers soon realized that publicity seekers do not fall into the same threat model that
criminals do. Criminals will only attack a system for profit; publicity seekers will attack a
system if there is a good chance the Press will cover it. Attacks against large-scale systems or
widely fielded products are prime targets. The primary danger of these types of attacks is the
erosion of public confidence in the systems following the announcements. This is a particular
problem for electronic commerce systems. Defacing Web pages is one form of publicity attack;
© Ken Fogalin 8
Hacking Techniques: An Introduction for Business Owners and Decision Makers
however, denial-of-service (DoS) attacks are currently the most popular form of this attack
(Schneier, 2004).
Legal Attacks
The hardest attacks to protect against are attacks that use the legal system. Their aim is to
discredit a system and prove their client’s innocence by persuading a judge and jury that there
could be a flaw in the system. Attackers are highly skilled and well funded. They can use the
discovery process to get all the details of the target system they need. Furthermore, the attack
does not even have to work operationally; the attackers only have to find enough evidence to
adduce a flaw (Schneier, 2004).
© Ken Fogalin 9
Hacking Techniques: An Introduction for Business Owners and Decision Makers
ADVERSARIES: WHO IS ATTACKING YOUR NETWORK?
Hackers are not the gifted teenagers with poor social skills that the movies portray
(McCarthy, 2003), and they are not the only threats on the Internet. Schneier (2004) notes that
the adversaries on the Internet are basically the same as in the physical world and include lone
criminals, malicious insiders, industrial espionage, Press, organized crime, police, terrorists,
national intelligence organizations, and “Infowarriors”. Insiders account for the majority of
attacks since they have direct access to your computer systems as part of their daily job or
business relationship. Insiders include disgruntled employees, customers, suppliers, vendors,
business partners, contractors, temps and consultants (Skoudis, 2002). Schneier (2004) further
categorizes adversaries by their objectives, access, resources, expertise, and risk.
Objectives
The objectives of an industrial spy are not the same as those of an organized crime
syndicate. Industrial spies are really looking for secret information to gain a competitive
advantage, not for quick financial gain. Therefore, the countermeasures to stop the industrial spy
might not even bother the organized crime syndicate. Understanding the objectives of the likely
attackers is the first step toward figuring out what countermeasures are going to be effective
(Schneier, 2004).
Access and Resources
Adversaries also have different levels of access and resources. For example, a malicious
insider will have much more access than someone who is outside the organization. Some
adversaries are well funded, while others operate with little money.
© Ken Fogalin 10
Hacking Techniques: An Introduction for Business Owners and Decision Makers
Expertise
Some attackers have considerable technical expertise, while others have none. For
example, “script kiddies” have only rudimentary skills and do not understand how their tools
really work. Rather, script kiddies rely on prepackaged attack tools written by more elite hackers
and tend to indiscriminately scan large swaths of the Internet looking for the easy prey (Skoudis,
2002). An adversary will likely choose an attack that gives him good return on investment
considering his constraints of budget, expertise, access, manpower, time, and risk. Some attacks
require a lot of access but not much expertise. Some attacks require a lot of expertise but no
online access (for example, breaking an encryption algorithm). Each adversary is going to have
a set of attacks that is affordable to him and a set of attacks that is not (Schneier, 2004).
Risk
As well, different adversaries are willing to tolerate different levels of risk. For example,
terrorists are often willing to die for their cause, and criminals are willing to risk jail time, while
publicity seekers do not want to go to jail (Schneier, 2004).
Understanding Your Adversary
It is important to understand your adversary because with understanding comes the ability
to anticipate behavior and motivation. Furthermore, to understand the hacker who is likely to
attack your systems, you need to understand what it is that makes you a target (Pipkin, 2003).
Hackers may target your systems because of the information they contain, or some specific
resources to which they have access, or because it is easy to compromise. The reason for attack
could be financial, political, personal, or merely convenience due to location or ease of access
(Pipkin, 2003).
© Ken Fogalin 11
Hacking Techniques: An Introduction for Business Owners and Decision Makers
PROFILE OF A HACKER: WHY THEY DO IT
Understanding the hacker community is equally important as understanding the technical
tools they use to discover exploits (Honeynet Project, 2004). However, there is no official
“hacker identity card,” no reliable identifiable physical characteristics, nor any single means
among members of the community themselves for identifying others that share their identity
(Honeynet Project, 2004). To gain an understanding of why individuals become hackers requires
a thorough analysis of what motivates them. There are six basic motivations prevalent in the
entire computer hacker community. Understanding these six motives will assist computer
security professionals in predicting the potential behavior of hackers who gain unauthorized
access to their networks. It will also help policy makers in deciding how best to protect the
nation’s critical information infrastructure given the plethora of threats to many of its key
components. The origins of the six motives come from the term MICE, which the Federal
Bureau of Investigation’s counterintelligence unit used. The original MICE acronym stands for
Money, Ideology, Compromise, and Ego. The six motives are captured in the acronym
MEECES, which stands for Money, Entertainment, Ego, Cause, Entrance to a social group, and
Status (Honeynet Project, 2004).
Money
This includes blackmail, extortion, and credit card theft. There are incidents where
hackers have stolen confidential client information from a company and then threatened to
expose this information if the company refused to pay. Unfortunately, many of these incidents
go unreported because the hacked companies decide to pay “quiet money” rather than report it to
the authorities or to publicize the incident. A spin-off of this type of extortion occurs when a
hacker offers to launch a DoS attack against a competing company in exchange for money.
© Ken Fogalin 12
Hacking Techniques: An Introduction for Business Owners and Decision Makers
Stolen credit cards have become “pseudo-currency” where thieves can trade freshly stolen credit
card numbers for money, merchandise, accounts on other computer systems, or most any other
item of value. It is also alarming that criminal enterprises are hiring talented hackers to create
financial gains for criminal entities. There appears to be no current or foreseeable inhibitors that
may attenuate this trend, so it is expected that money, as a source of motivation for hacking will
continue to grow unabated (Honeynet Project, 2004).
Entertainment
Computer hackers may hack a company Web site and post embarrassing pictures or text
on the site as entertainment for themselves or their friends. They may also redirect the company
Web site to a pornographic Web site instead or they may tap into telecommunications systems
and reroute telephone calls for some popular business to an unlucky recipient’s home phone.
The number of potential schemes deployed in the name of entertainment is limitless. There is no
indication that this motivation will ever die off, however, it accounts for only a small portion of
the motivation of hackers. This type of hacking has the least consequences for the intended
target because the final objective appears to be more playful than destructive (Honeynet Project,
2004).
Ego
This is a core motivation shared by almost the entire hacking community. This comes
from the satisfaction of overcoming technical obstacles and creating innovative solutions to a
problem. It offers the hacker a psychological payoff in the form of a rise in self-esteem and
personal ego. This motivation should not be underestimated; it often overpowers many other
constraints that might otherwise restrain a hacker. Common examples of this are the large
number of cases where a hacker, without any malicious intentions, works feverishly and
© Ken Fogalin 13
Hacking Techniques: An Introduction for Business Owners and Decision Makers
successfully on a method to bypass the computer security on a targeted system such as a
government or military network. They undertake this objective in the face of the real threat of
discovery and apprehension and the subsequent serious legal ramifications (Honeynet Project,
2004).
Cause (Ideology)
Many different factors, such a geopolitical orientation, cultural influences, religion,
historical events, and view on current social issues, shape this motivation. Ideology driven
hacking, often referred to as hacktivism, is a phenomenon that is becoming more common. The
belief, by some hackers, that all information should be free also drives this motivation.
Therefore, they break into companies like the Bell System networks, extract technical
information on telephone switching systems, and then publish the information on the Internet for
everyone to read and use. In other cases, hackers believe that commercial software products
costs so much that they discriminate against lower-income people, so they go about writing
password cracks and disabling copy protection measures. Ideology was also the motive to
redirect the Palestinian Islamic terrorist’s group Hamas’ Web site to a pornographic Web site,
the defacement of the Israeli Likud party leader Ariel Sharon’s Web site, as well as the mass
Web site defacements and DoS attacks between Palestinians, Israelis, and their supporters after
Ariel Sharon visited the Temple Mountain. National boundaries are no defense to these attacks,
as witnessed by the official White House Web site, which was hacked by Korean computer
hackers. Cause (Ideology) as a motivation in the hacking community is likely to increase in the
future (Honeynet Project, 2004).
© Ken Fogalin 14
Hacking Techniques: An Introduction for Business Owners and Decision Makers
Entrance to a Social Group
There are social forces within the hacker community that make joining a group of other
like-minded individuals a more involved process. Joining a group may depend on the level of
skill the hacker possesses, since hackers tend to group themselves by the technical skills that they
have in common. Other hackers evaluate individuals whose technical skills are too far below
those in the group as “newbies,” “losers,” or other derogatory terms and tend to deny them
membership. Therefore, there is some motivation to write a particular exploit, to defeat a
particularly strong computer security defense, or to write some stealthy code that monitors
network traffic, to provide evidence of technical skill in order to join a group (Honeynet Project,
2004).
Status
This is by far the most powerful social force within the hacker community and motivates
more of the behavior within the community that any other component. Status within the hacker
community depends on technical skills in coding, network protocols, and other areas of
expertise. However, many of the information clues or “status markers” that are normally
exchanged in face-to-face interactions, are absent in Internet Relay Chats (IRC). Therefore,
members have to resort to other means to broadcast their status position within the group. This
may take the form of bragging about how many systems they “own”, which of course fuels the
motivation to compromise computer systems in order to make a valid claim. Other status
markers in IRC include disclosure of knowledge to another group member or teaching another
member how to gain root access using a specific exploit or vulnerability (Honeynet Project,
2004).
© Ken Fogalin 15
Hacking Techniques: An Introduction for Business Owners and Decision Makers
TOOLS AND TECHNIQUES: HOW HACKERS DO WHAT THEY DO
Hacking used to require extensive knowledge of systems, networks, and protocols.
Gaining unauthorized access required either using the knowledge to subvert protocols or to write
programs that could exploit faults. However, hacking can now be automated (Pipkin, 2003) and
there are many powerful tools, which are freely distributed on the Internet, that can identify and
exploit vulnerabilities to compromise a system. An attacker does not need to understand what
these tools do, but only how the tool works. These tools require little knowledge to use, and can
be virtually undetectable until the damage is done (Pipkin, 2003). Most hackers carry their own
“toolbox” that will include versions of programs with back doors, programs that will help mask
their activities, and programs that exploit known problems. The hacker’s “toolbox” will very
from simple tools to extremely sophisticated tools and will include using malicious code,
exploiting network protocols, exploiting vulnerabilities, and cracking passwords.
Malicious Code
Malicious code is one of the basic tools that all hackers will have. These include logic
bombs, parasites, Trojan horses, viruses, and worms. A logic bomb is a program that lies
dormant until it is activated. Either time, or the presence or absence of some data, such as when
a programmer’s name is no longer in the payroll file, may activate the program (Pipkin, 2003).
A parasite is a piece of code that is added to an existing program and draws information
from the original program. It gathers information for which the hacker may not have privileges.
It is a covert, nondestructive program (Pipkin, 2003).
A Trojan horse is a program that looks like a useful program, but has an alternate agenda.
To plant a Trojan horse, hackers will advertise the program to convince people to run it. The
program will usually do what it advertises to do as well as the covert action. Trojan horses can
© Ken Fogalin 16
Hacking Techniques: An Introduction for Business Owners and Decision Makers
be introduced as games or utilities. Utilities are especially effective because they are more likely
to be run by someone with privileges (Pipkin, 2003).
A virus is a program that infects another program by replicating itself into the host
program. A virus first infects a host, then activates itself to find another host to infect, and then
replicates by copying itself to the new host. Viruses are transported from one system to another
by being in a file that is moved from one system to another (Pipkin, 2003).
A worm is a program that is used as a transport mechanism for other programs and uses
the network to spread program from one system to another. It uses a flaw in network transport
methods, such as network mail or remote process execution, to gets it payload from one system
to another. First, a worm will search for a receptive system. Then it will establish a connection
to that system. Finally, it will transport its program to the remote system and execute the
program (Pipkin, 2003).
Exploiting Network Protocols
Since most systems are accessed over a network, hackers have hundreds of network
services from which they can attack. It is relatively easy for a hacker to create a back door,
spoof e-mail, spoof Internet protocol (IP) addresses, or flood systems.
A hacker could create a back door by exploiting the Internet daemon, inetd, which
controls some of the processes that communicate over the network. It listens to each port,
identifies a connection, and then passes control of the socket to the associated program. A
hacker could exploit this by adding a line in /etc/inetd.conf, which will attach a shell with root
privileges to a specific socket. Another way of creating a back door is to replace one of the
configured programs in inetd.conf with an alternate program, or just enable a disabled program,
© Ken Fogalin 17
Hacking Techniques: An Introduction for Business Owners and Decision Makers
such as rexd. Hackers know that the rexd server has serious security design flaws (Pipken,
2003).
E-mail spoofing is a trivial spoof because a hacker does not need to obtain access or
authorizations to forge e-mail. Because simple mail transfer protocol (SMTP) consists of simple
ASCII commands, a hacker can input these commands manually by using a telnet connection to
the system’s SMTP port. Once connected, via telnet, a hacker can type the mail protocol
command directly to the port, identify someone else in the mail “From:” command, or send mail
to other systems by entering a “To:” command to another system (Pipken, 2003).
IP spoofing is the act of sending packets with source addresses other than the actual
address of the originating host. These spoofed packets can have addresses that are unassigned or
addresses that belong to another host. Currently there is no way to stop IP spoofing because
authentication is not a feature of the protocol (IPSec will correct this, but will take many more
years before it is widely used). For now, administrators should focus on preventing their
network from being the source of such an attack. Configuring border routers for ingress and
egress filtering is an effective first step (Pipken, 2003).
Finally, a hacker may try to flood a system and prevent it from being useful by
consuming system resources. The consumed resources can be general resources, such as
memory, storage, or computation. However, more often the consumed resources are specific
resources such as buffers or queues. In many cases, system flooding will result in the system
hanging or failing completely (Pipken, 2003).
Exploiting Vulnerabilities
Exploiting known vulnerabilities is the most common method of attack because tools are
widely available to find systems with known vulnerabilities as well as attack the known
© Ken Fogalin 18
Hacking Techniques: An Introduction for Business Owners and Decision Makers
vulnerabilities. Tools such as scanners, profilers, sniffers, and snoopers can all be run without
any knowledge of the vulnerability being exploited (Pipken, 2003).
Scanners look at many systems and make a preliminary evaluation of the software being
run on the system. They usually sweep through address spaces looking for vulnerable services
running on the system. Scanners can determine the system hardware and operating system
software, including the particular version. They can determine what services are available on
each system and what software is servicing those services (Pipken, 2003).
Profilers take a more in-depth evaluation of a specific system to determine the type of
hardware and software being used. Profilers will identify the versions and patch levels so that a
specific attack can be crafted. The process of scanning and profiling are often combined
(Pipken, 2003).
A sniffer or snooper is a program that watches data travel through the system looking for
a particular type of information. Snoopers may be attached to a network interface to watch all
the network traffic or to a disk interface to watch all the data flowing to or from the disk.
Snoopers can also be parasites, inserted inside a system, like the print spooler or login system,
secretly gathering information (Pipken, 2003).
Password Cracking
Passwords are most computer systems’ primary method of authentication and are usually
protected by strong encryption. Reverse engineering the encryption algorithm is nearly
impossible, so hackers try to guess the password using an automated process. They are usually
successful because users are not educated on the wise selection of passwords and select a
password from only a miniscule percentage of all possible passwords. Hackers will try a
dictionary attack using all the information available about a user, such as the user’s name,
© Ken Fogalin 19
Hacking Techniques: An Introduction for Business Owners and Decision Makers
initials, account name, and any other personal information known. The dictionary will include
common first names; characters, titles, and location from works of fiction, television and film,
cartoons, and computer games; sports terms; and terms based on the industry in which the
computer is being used. All of the words will be permuted by varying case, reversing spelling,
substituting numbers for letters, appending digits to words, and pairing two words separated by a
special character. Studies show that between 25 and 30 percent of passwords will be cracked
using this process (Pipken, 2003).
Multi-vector Attacks
The attacks described above are generally one-dimensional, mainly in the form of
viruses, worms, and unauthorized intrusions, and are launched against Web sites, mail servers or
client machines. However, there is a fundamental change in recent attacks. Cyber attacks are
becoming more diverse resulting in multi-vector weapons that use a variety of attack tools and
technologies. Most multi-vector attacks now use a variety of different exploits, propagation
methods, and payloads. Hackers are increasingly using new technologies, such as instant
messenger (IM), chat programs (IRC), and peer-to-peer (P2P) networks to exploit vulnerabilities.
These programs were developed with functionality in mind, not security. Since their use has
become ubiquitous, hackers are now taking advantage of their security deficiencies.
Furthermore, infected machines are used to launch attacks against other targets; and this trend is
intensifying (Goetz, 2002).
IM and IRC services are inherently insecure. Vulnerabilities have been discovered and
the first worms that use these technologies have started to emerge. Furthermore, hackers are
now using IM and IRC programs to coordinate other forms of cyber attacks, such as distributed
denial-of-service (DDoS) strikes. DDoS attacks are made up of hundreds or even thousands of
© Ken Fogalin 20
Hacking Techniques: An Introduction for Business Owners and Decision Makers
machines. Even larger DDoS networks have been discovered – some containing tens of
thousands of machines – many times more than were used to disrupt Yahoo! and CNN Web sites
in February 2001. P2P networks are also vulnerable and are being used by hackers for malicious
ends. P2P networks are particularly vulnerable to the spread of malware (i.e. viruses, Trojans,
and worms) because they connect millions of machines to one another and downloading
programs is their rasion d’être (Goetz, 2002).
Examples of multi-vector attacks include Code Red, Nimda, and BadTrans. These
attacks used a combination of formerly stand-alone attacks by merging viruses, Trojans, worms,
and hacker techniques into automated, multi-vector tools that can rapidly propagate across the
Internet. Propagation is achieved by employing mass-mailing capabilities. Once a system is
infected, all the e-mail addresses on that system are harvested and the attacking program sends
copies of itself to all these e-mail addresses. The existence of malicious code in the e-mail is
disguised by randomly changing the subject line and/or content of the e-mail, or even by
spoofing the sender address. The Klez worm is an example of this. Klez also allows the Elkern
or CIH virus to hitch a ride, thereby acting as their delivery mechanism. It also disables security
software to avoid detection (Goetz, 2002).
© Ken Fogalin 21
Hacking Techniques: An Introduction for Business Owners and Decision Makers
THE HACKING LIFECYCLE: A METHODICAL PROCESS
Today, hackers are more skilled and often have a plan and an objective. First, they will
do reconnaissance, i.e. select the target, and identify the systems they want to attack by gathering
as much information as possible. Then they will gain access to the system and acquire privileges
until they have control of the system. During this process, hackers will monitor the activities of
the system administrator, cover up any evidence to avoid detection, and open a back door so they
can return at any time. Then they will branch out to other systems. They will collect many
systems to make tracing their activities as difficult as possible. Finally, they will make their way
to the target system and achieve their goal of engaging in whatever malicious activities they have
planned (Pipken, 2003). Understanding this process is critical to deploy countermeasures and
prevent intrusions. Regardless of the objectives or type of the adversary you may be facing, this
is the normal process that hackers use to attack systems; and it is very predictable.
Phase 1 - Reconnaissance
For the hacker, target selection is the easiest part of the attack. However, for victims it is
normally difficult to understand. Hackers may attack your system because of who you are, what
you do, who your customers are, what you know, or what you have. You need to understand this
and you need to consider that your system might not be the ultimate target of the attack. Your
system may be a stepping-stone that the hacker needs to get to his final destination. It is rare that
hackers attack the target system directly or as the first system; and most attacks use many
stepping-stones to get to their final destination (Pipken, 2003). Without even using a computer, a
hacker may gain valuable information about your organization. Using a variety of techniques
such as social engineering, physical break-in, and dumpster diving, a hacker can potentially learn
passwords, gain access to detailed network architectures, and collect system documentation.
© Ken Fogalin 22
Hacking Techniques: An Introduction for Business Owners and Decision Makers
When used by an experienced hacker, these techniques are very effective (Skoudis, 2002).
Online resources that hackers may use during their reconnaissance include your organization’s
own Web site, search engines, and the Usenet. These resources often reveal employees’ contact
information, clues about the corporate culture and language, business partners, recent mergers
and acquisitions, and technologies in use (Skoudis, 2002). After the reconnaissance, a hacker is
armed with vital information and will use this information to begin scanning your systems to
gather further information in hopes of discovering vulnerabilities.
Phase 2 - Gathering Information
This is the most important part of hacking a system. More information about a system
increases the ability for the hacker to achieve his goals and decreases the chances that he will be
caught. Identification tools locate and identify target systems while avoiding detection by
intrusion detection systems. Good reconnaissance increases successful hacks. Hackers will be
looking for company information that may aide with social engineering attacks. Knowing the
company’s organization and business improves the hacker’s ability to find and exploit
weaknesses. The hacker will also gather information about the specific system such as hardware
and software versions, and what the system is used for. Knowing who owns the machine, who
uses it, and who administers it can indicate the likelihood that it will contain the information the
hacker is looking for and the ability to compromise it without being detected. Understanding the
business process can lead to where valuable information is stored and where the likely weak
links in the business process might be. It can also identify the people who have access to
valuable information. A business partner’s system may be easier to compromise and lead to an
easier access point. Therefore, hackers will look for newly formed business partnerships as an
alternate way to attack the target system. Finally, hackers will study users and their accounts
© Ken Fogalin 23
Hacking Techniques: An Introduction for Business Owners and Decision Makers
since they are often the weakest link in the security chain. This indicates which accounts are
safer to use. Typically, hackers will look for accounts that have not been used in a long time or
have considerable idle time (Pipken, 2003). Techniques used during this phase include war
dialing, demon dialing, network mapping, port scanning, and vulnerability scanning.
A war dialer is a tool used to scan a large pool of numbers to find modems. Whereas a
demon dialer is a tool used to attack just one modem, guessing password after password in an
attempt to gain access. Users sometimes install modems in their personal computer to get around
their company’s firewall policies. However, they are not the only guilty parties in an
organization. System administrators sometimes leave the system connected to modems and
apply little or no security. War dialing often discovers these modems connected to servers and
routers that either request no password, or have a trivial password (Skoudis, 2002).
Network mapping will usually begin at your Internet gateway, including your
demilitarized zone (DMZ) systems such as your public Web server, mail server, FTP server, and
DNS server. Hackers will methodically probe these systems in an attempt to compromise your
Internet perimeter, then move on to your internal network. Hackers will ping all possible
addresses in your network to determine which ones have active hosts, then use traceroute to
determine the routers and gateways that make up your network. Ping and traceroute
functionality is built into most operating systems, however several automated and easy to use
tools make network mapping effortless and these tools are freely distributed on the Internet
(Skoudis, 2002). By this point in the process, a hacker knows the addresses of your active hosts,
has a good understanding of your network topology, and is ready to learn potential entryways by
using port scanners.
© Ken Fogalin 24
Hacking Techniques: An Introduction for Business Owners and Decision Makers
Each machine with a TCP/IP stack has 65,535 TCP ports and 65,535 UDP ports, all of
which are potential entryways into the machine. Common ports such port 80 on Web servers,
port 53 on DNS servers, and port 25 on mail servers will likely be open. Request For Comment
(RFC) 1700 defines assigned port numbers so a hacker simply has to refer to this document to
learn what service is running when an open port is discovered. Most port scanning tools can
scan specific ports, a range of ports, or all possible ports, and still avoid detection. Port scanning
tools are also freely distributed on the Internet, the most popular and capable one being Nmap by
Fyodor (Scoudis, 2002). Successful scanning provides a lot of useful information to the hacker,
but vulnerability scanning is still required to learn how to get into the target system.
Vulnerability scanning provides a list of vulnerabilities on the target system that a hacker
could exploit to gain access. Vulnerability scanners automate the process of connecting to the
target system and can check for many hundreds of vulnerabilities such as common configuration
errors, default configuration weaknesses, and well-known system vulnerabilities. For example, a
vulnerability scanner will check to see if your system has an older version of BIND DNS server
that allows a hacker to take control of your server. It could also check to see if you have
misconfigured your Windows NT system to allow a hacker to get a complete list of users through
a NULL session. As with network mapping tools and port scanning tools, vulnerability scanning
tools are freely available on the Internet (Skoudis, 2002). With a list of potential vulnerabilities,
the hacker will then seek to exploit these vulnerabilities to gain access to the target system.
Phase 3 - Gaining Access
Access may be physical access or network access and the approach will depend heavily
on the skill level of the hacker. Script kiddies will use pre-packaged exploits that they learn from
published sources at www.packetstorm.security.com, www.technotronic.com, or
© Ken Fogalin 25
Hacking Techniques: An Introduction for Business Owners and Decision Makers
www.securityfocus.com. Hackers that are more sophisticated will use highly pragmatic
approaches such as stack-based buffer overflow attacks, password attacks, web application
attacks such as account harvesting, undermining session-tracking mechanisms and SQL
piggybacking (Skoudis, 2002).
Stack-based buffer overflow attacks are the most prevalent attack used to compromise
systems. While the facts are unavailable, buffer overflows – also known as stack smashing – are
believed to account for at least half of all online attacks. The number of security advisories
issued supports this assumption. In 2001, CERT-CC issued 37 security advisories; 19 of these
warned of buffer overflow vulnerabilities. These attacks have been shown to affect all kinds of
platforms, operating systems and applications, making them a pervasive problem. Basically, a
buffer overflow exploit takes advantage of improperly checking input into memory. By going
out of bounds, parts of memory, which are supposed to be untouched, become overwritten. By
current system design it is possible to alter program flow, thereby allowing the attacker to
execute arbritary code on the vulnerable machine (Goetz et al, 2002).
To crack passwords, hackers may use automated tools such as THC-Login Hacker,
brute_ssl and brute_web for passwords based on HTTP and HTTPS authentication, and
Hypnopaedia, which will guess passwords that use the POP3 protocol. Other popular password
crackers include L0phtCrack, an easy to use Windows NT/2000 password cracker, and John the
Ripper, a UNIX password cracker (Skoudis, 2002). Most hackers will have all of these and
many more tools in their toolbox.
Account harvesting is a particular problem for web applications. Using this technique a
hacker can determine legitimate userIDs and even passwords of a vulnerable application.
Account harvesting simply targets the authentication process when an application requests a
© Ken Fogalin 26
Hacking Techniques: An Introduction for Business Owners and Decision Makers
userID and password. When an invalid userID is entered an error number 1 is returned and when
and invalid password is entered an error number 2 is returned. Based on this distinction, the
hacker will use a script to guess all possible userIDs, with an obviously false password, changing
the userID until he finds a valid one. This is pure userID guessing through scripting and an easy
way for the hacker to harvest a large number of valid userIDs from the target application. With a
list of userIDs compiled, the hacker will then try to harvest a list of passwords (Skoudis, 2002).
Undermining session tracking mechanisms is another common technique to attack Web
applications. After a user authenticates to a Web application (through a valid userID and
password), most Web applications generate a session ID to track the user’s session. This session
ID is passed back and forth across the HTTP or HTTPS connection for all subsequent
interactions that are part of the session, such as browsing Web pages, entering data into forms, or
conducting transactions. The Web application uses this information to track who is submitting
the request. There are many techniques used to implement session tracking, but Cookies are the
most widely used mechanism. Many Web applications have vulnerabilities in properly
allocating and controlling these session IDs. A hacker may be able to get an assigned session ID,
and alter the session ID in real time changing it to a session ID that is currently assigned to
another user. If successful, the Web application will think the hacker’s session is actually the
other legitimate user. For example, in an online banking application the hacker could then
transfer funds, possibly write checks, or make investment trades on behalf of the user (Skoudis,
2002).
Another weakness of many Web applications involves problems with accepting user
input and interacting with back-end SQL databases. Based on interactions with a legitimate user,
the Web application accesses the back-end database to search for information or update fields.
© Ken Fogalin 27
Hacking Techniques: An Introduction for Business Owners and Decision Makers
This involves sending SQL statements to the database that include search criteria based on the
information entered by the user. By carefully constructing a statement in a user input field of a
vulnerable Web application, a hacker could extend an SQL statement to extract or update
information that he is not authorized to access. Essentially, the hacker is piggybacking extra
information onto the end of a normal SQL statement to gain unauthorized access (Skoudis,
2002).
There are many more methods of gaining access through network attacks by targeting the
Data Link layer protocols with sniffing tools such as Snort and Sniffit. DNS spoofing, IP address
spoofing, and session hijacking are other ways of gaining unauthorized access. Obviously,
network access gives the hacker many more options in probing and attacking a system since
corporate networks are usually guarded and direct attacks on a firewall are usually noticed
(Pipken, 2003).
Physical access may be gained through a shared utility closet. A hacker could then install
his computer as a peer on the corporate network thereby increasing his chance of successfully
compromising the system (Pipken, 2003).
Phase 4 - Acquiring Privileges
All accounts, programs, and services have some privileges to perform their functions and
each element usually has different levels of privileges based on security requirements.
Therefore, a hacker will first try to acquire low-level (i.e. user) privileges and then use them to
leverage higher privileges with the ultimate goal of acquiring administrator privileges. Once a
hacker has access to your system, keeping him from gaining more privileges is the hardest thing
for a security administrator (Pipken, 2003).
© Ken Fogalin 28
Hacking Techniques: An Introduction for Business Owners and Decision Makers
Phase 5 - Avoiding Detection
Hackers do not want to be caught; not even those looking for publicity, because their
online life and notoriety are based on their online identity or “handle.” Revealing their handle
might lead to discovering their physical whereabouts and potentially arrest. Therefore, many of
the tools in the hacker’s toolbox will provide him some level of stealth. Some of these tools
replace system utilities with version that do not report the presence of the hacker, his tools, or his
activities. The goal of stealth tools, therefore, is to keep the hacker from being discovered
(Pipken, 2003). Some of the techniques hackers use to cover their tracks include altering event
logs in Windows NT/2000, altering accounting and shell history files in UNIX, creating hidden
files and directories, and using covert channels – a technique known as tunneling (Skoudis,
2002).
Realizing the Goal
Hackers usually want more than just access to information or use of your system’s
resources. Most hackers have a goal – a reason for their attacks – and to accomplish this goal,
the hacker must compromise the system. The most common way to compromise a system is by
exploiting known vulnerabilities in software code, improper configurations, or inadequate
administration. Hackers are continuously discovering new exploits, documenting them, and
sharing them within the hacker community. Vendors address and repair these vulnerabilities, but
not all administrators apply the patches, so many systems remain vulnerable after the problem
should no longer be a problem (Pipken, 2003).
© Ken Fogalin 29
Hacking Techniques: An Introduction for Business Owners and Decision Makers
FINAL THOUGHTS AND RECOMMENDATIONS
McCarthy (2003) has some key recommendations that all business owners and decision
makers should consider. First, you need to know what the risks are to the data on your network.
Obviously some information on your network is more important that other information. That is
why you need to do a proper risk analysis of your network. Second, you need to understand that
the hacker is not just a precocious teenager looking to explore the Internet. Hacker theft is
becoming more deliberate and well organized. Consider that in March 2001 FBI officials
reported that ongoing computer hacking by organized criminal groups in Russia and the Ukraine
had stolen more than a million credit card numbers. McCarthty (2003) summarizes her
recommendations as follows:
Know your risks . Conduct a proper risk analysis and if necessary, have experts
inside your company classify the data. Add higher levels of control to high-risk
data.
Avoid out-of-the-box installations . Unless you take proper security precautions,
installing systems with the default configuration will leave your network full of
security holes.
Test your network . If you do not check your system for security holes, someone
else will, and chances are that someone else will not be on your side. A wide
variety of security audit tools are available – use one of them to conduct an audit.
Know the people who know your data . Do not assume that your application
experts and network administrators are security experts. They may have different
priorities and knowledge about the value of your data.
© Ken Fogalin 30
Hacking Techniques: An Introduction for Business Owners and Decision Makers
Assign or acquire adequate funding for security . Security always comes down to
funding and you do not want to spend more to protect something than it is
actually worth. Therefore, you need to know which data you should protect and
what that data is worth.
Remove old accounts . Dormant user accounts, like those left by former
employees or workers on an extended leave of absence, are a common security
risk.
Test passwords . Passwords are your first line of defense and a hacker only needs
to crack one of them. Run a password cracker on your passwords and teach users
how to select good passwords.
Apply security patches . All systems have flaws and they need to be patched.
Consider using an automated patch management program if your network is large.
Follow security policies and procedures . As a minimum, you should have
policies and procedures for installing and configuring applications, and
maintaining sensitive data. Without these, chances are good that applications will
be installed with the standard out-of-the-box configuration.
Work with experts . Using outside experts is not a sign of weakness within your
company – it is a sign of good sense. Unless your company is quite large, you
probably do not need a full-time security expert on staff.
Use training . Security is not something that most technicians or system
administrators focus on in school or in on-the-job training. Also remember that
security issues are not static, so security training done years ago does not count.
© Ken Fogalin 31
Hacking Techniques: An Introduction for Business Owners and Decision Makers
CONCLUSION
This paper has reviewed the literature on digital threats and hacking techniques with the
aim of providing a solid introduction for business owners and decision makers. It shows that
traditional, one-dimensional thinking is not optimal for securing today’s systems because
technologies are advancing too quickly and new vulnerabilities and methods of attack are
discovered on a daily basis. In addition, cyber threats have expanded their scope and reach,
targeting, or using new technologies, including instant messenger, chat tools, and peer-to-peer
networks. These new technologies help link a multitude of systems together, thereby potentially
creating a wide range of new launch points for attacks. Furthermore, the window of opportunity
for security professional to patch their systems has dramatically declined to as little as 5.8 days
from the time a vulnerability is discovered.
The characteristics of the Internet make controlling digital crime almost impossible
because automation makes attacks with a minimal rate of return profitable. Furthermore,
adversaries do not need to be close to their prey – they could just as easily be anywhere in the
world. Successful attack tools and techniques are freely and widely published on the Internet
and they propagate so quickly that they are impossible to control.
The seminal thinkers on security have concluded that the adversaries to today’s digital
world range from script kiddies to highly intelligent, well funded and organized crime
syndicates. Business owners and decision makers need to know who their adversaries are to
develop the right countermeasures. They need to understand what motivates hackers and what
tools and techniques hackers will likely use against online business. Business people also need
to understand that for most hackers, their behavior is very methodical and predicable. This
© Ken Fogalin 32
Hacking Techniques: An Introduction for Business Owners and Decision Makers
means businesses can and must implement proactive security defenses because reactionary
defenses are not a suitable solution.
Business owners and decision makers need to be cautious of out-of-the-box security
solutions. Instead they will have to get more involved with their security team in developing the
right security solution based on their bona fide business needs. This is critically important and
ignoring this can cost a company in many ways, such as financial loss, loss of proprietary
information, loss of competitive edge, company embarrassment, and even legal costs if personal
or private information is revealed.
© Ken Fogalin 33
Hacking Techniques: An Introduction for Business Owners and Decision Makers
References
Gordon, L. A., Loeb, M. P., Lucyshyn, W., & Richardson, R. (2004). 2004 CSI/FBI Computer Crime and Security Survey (Computer Security Institute). San Francisco. Retrieved November 24, 2004, from Computer Security Institute Web site: http://www.GoCSI.com
Symantec Security Response. (2004). In S. Entwisle (Ed.), Symantec Internet Security Threat Report: Trends for January 1, 2004 to June 30, 2004 (Volume VI). Cupertino, CA. Retrieved November 24, 2004, from Symantec Web site: http://www.symantec.com
Goetz, E. (2002). Diversification of Cyber Threats (Investigative Research for Infrastructure Assurance Group). Hanover, NH: Institute for Security Technology Studies at Dartmouth College.
Goetz, E., Berk, V., Jiang, G., & Burroughs, D. (2002). Cyber Attack Techniques and Defense Mechanisms (Investigative Research for Infrastructure Assurance Group). Hanover, NH: Institute for Security Technology Studies at Dartmouth College.
The Honeynet Project. (2004). Know Your Enemy: Learning About Security Threats (2nd ed.). Boston: Pearson Education, Inc.
McCarthy, L. (2003). IT Security: Risking the Corporation. Upper Saddle River, NJ: Prentice Hall PTR.
Pipkin, D. L. (2003. Halting the Hacker: A Practical Guide to Computer Security (2nd ed.).
Schneier, B. (2004). Secrets & Lies: Digital Security in a Networked World. Indianapolis, Indiana: Wiley Publishing, Inc. (Original work published 2000)
Skoudis, E. (2002). Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses. Upper Saddle River, NJ: Prentice Hall PTR.
© Ken Fogalin 34
Hacking Techniques: An Introduction for Business Owners and Decision Makers
APPENDIX A
ANNOTATED BIBLIOGRAPHY
Allen, J. H. (2001). The CERT© Guide to System and Network Security Practices. Upper Saddle River, NJ: Pearson Education Corporate Sales Division.
This guide is a practical, step-by-step, approach to protecting systems and networks against malicious and inadvertent compromise. The security practices in this guide are based on Carnegie-Mellon University’s Software Engineering Institute and the CERT Coordination Center’s extensive data on security breaches and vulnerabilities. This book is designed to be a reference manual and includes cross-referencing form one practice to other, related practices. It details how to detect, respond to, and recover from instructions. It provides an authoritative view of the most common problems system and network administrators confront. However, to get value from this book, you must be familiar with fundamental security concepts such as establishing secure communications, systems and network monitoring, authentication, access control, and integrity checking. By implementing the solution presented, administrators will have protection for up to 80 percent of the security incidents reported to CERT.
Goetz, E. (2002). Diversification of Cyber Threats (Investigative Research for Infrastructure Assurance Group). Hanover, NH: Institute for Security Technology Studies at Dartmouth College.
This report introduces a clear trend toward a diversification of cyber attack activity in recent years. It describes how hacking and malware techniques have been merged into potentially nasty multi-vector threat weapons that contain a variety of exploits, propagation methods and payloads. It also reports on new tools and technologies that attackers are using and raises some serious concerns about the Internet’s infrastructure components, such as routers and the Domain Name System (DNS). Finally, this paper introduces the idea of cognitive attacks aimed at altering decision makers’ perception of reality through the injection of misinformation.
Goetz, E., Berk, V., Jiang, G., & Burroughs, D. (2002). Cyber Attack Techniques and Defense Mechanisms (Investigative Research for Infrastructure Assurance Group). Hanover, NH: Institute for Security Technology Studies at Dartmouth College.
This report focuses on cyber attack techniques and defense mechanisms by giving detailed explanations of two of the most common vulnerabilities. First, his report describes how buffer overflows can be exploited. It introduces some basic concepts of memory management, such a program control flow, and the workings of the program execution stack, to illustrate how buffer overflows work. This report then suggests how to defend against this vulnerability. Second, this report shows how an attacker could exploit the Extended Unicode Directory Traversal vulnerability in Microsoft Internet Information Server (IIS) to gain control of a system and run malicious code. It introduces some of the protocols used during such an attack and describes exactly how the exploit
© Ken Fogalin 35
Hacking Techniques: An Introduction for Business Owners and Decision Makers
works. This is one of the most detailed reports I have seen and uses extensive references to support its findings and recommendations.
Anonymous. (2001). Maximum Security: A Hacker's Guide to Protecting Your Internet Site and Network (3rd ed.). Indianapolis, Indiana: Sams Publishing.
This book has multiple contributors (each knowledgeable within their own area of expertise) and has received praise from well known sources such as PC Computing, ZDNet, ComputerWorld, and the IEEE Technical Committee on Security and Privacy. It is an in-depth security manual that starts with the basic concepts of understanding TCP/IP, hackers, crackers and the state of the Internet. This book covers all the tricks used by hackers, such as spoofing, password cracking, viruses, and worms, Trojans and sniffers used against Microsoft, UNIX, Novell, Macintosh, and VAX/VMS. It also presents a “defender’s toolkit” to counter these threats. This book goes beyond being just a handy reference guide. It can be used to fix specific problems or to build a complete security program. To fully understand how hackers do what they do, this book is a must read for network administrators and security officers.
Cole, E. (2001). Hackers Beware: Defending Your Network from the Wiley Hacker (First ed.). United States of America: New Riders Publishing.
Eric Cole, (CISSP, CCNA, MCSE) is a former Central Intelligence Agency (CIA) employee who today is a highly regarded speaker for the SANS Institute. He is an adjunct professor at Georgetown University and has taught at New York Institute of Technology. The point of his book is to demonstrate that there is no way to properly protect a company’s network unless they know what they are up against. Hackers Beware teaches how hackers think, what tools they use, and the techniques they utilize to compromise a machine. To show just how bad the problem is, the author gives examples of some the sites that have been hacked such as U.S. Department of Commerce, UNICEF, NASA, CIA, Greenpeace, Tucows, NY Times, Motorola, and many more. This book also describes the general trends about what is occurring from an Internet security perspective.
Gupta, A., & Laliberte, S. (2004). Defend I.T.: Security by Example. Boston, Massachusetts: Pearson Education, Inc.
Ajay Gupta is the founder and president of a security company that provides data privacy services to federal, state, and local governments. His co-author, Scott Laliberte, has extensive experience in information security, network operations, incident response and e-commerce. The authors use a collection of case studies, based on real experiences, to demonstrate important security practices and principles. By examining these case studies, the authors explain what could have been done differently to avoid the losses incurred. This book covers the basics of hacking including mapping a network, exploiting vulnerabilities and launching denial-of-service attacks. It discusses the latest methods of malicious acts as well as some of the classic means of compromising networks, such as war dialing and social engineering. Finally, the often-overlooked security measures such as developing a security policy, intrusion detection systems, and
© Ken Fogalin 36
Hacking Techniques: An Introduction for Business Owners and Decision Makers
disaster recovery as discussed. This book is a good source of practical examples of the types of issues that security professionals must be prepared to face in the execution of their duties.
The Honeynet Project. (2004). Know Your Enemy: Learning About Security Threats (2nd ed.). Boston: Pearson Education, Inc.
This book, published by the renowned Honeynet Project, presents an intelligence report on attackers who use the Internet for destructive purposes. The majority of this book provides an in-depth guide to honeynets, which are networks made up of honeypots designed to capture extensive information on exactly how attackers operate. However, the analysis of the data captured by honeynets is helpful to understand our enemies. This book presents the real data collected by the Honeynet Project, from a variety of different attacks. By discussing examples of honeynets that have been compromised, this book covers profiling the enemy, network forensics and the lessons learned about common attacks and exploits. This book is aimed at security professionals interested in learning the technical skills needed to study and learn from blackhat attacks. It has a companion website, (http://www.honeynet.org/book) to keep the material updated.
McCarthy, L. (2003). IT Security: Risking the Corporation. Upper Saddle River, NJ: Prentice Hall PTR.
Linda McCarthy is currently the Executive Security Advisor for the Office of the CTO for Symantec Corporation. Formerly she was the Vice President for a company that developed software to detect, trap, and track hackers. This is an updated version of her original book published as Intranet Security: Stories from the Trenches. This book uses scenarios to expose crucial flaws in operating systems, networks, servers, and software based on her collection of real security audits. Furthermore, it shows why poor training, corporate politics and careless management have caused many of the vulnerabilities. The author gives a number of security checklists, resource listings that can help tighten security, and advise on how to avoid problems in the first place. Chapter 12, A Hacker’s Walk Through the Network gives line-by-line transcript of an actual break-in with a description of what the hacker is doing along the way. This is a must have book for security professionals.
McClure, S., Shah, S., & Shah, S. (2003). Web Hacking: Attacks and Defense. Boston: Pearson Education, Inc.
In this book, Stuart McClure (lead author of Hacking Exposed), Saumil Shah, and Shreeraj Shah present a broad range of Web attacks and defenses. The authors include an overview of the Web and what hackers go after, a complete Web application security methodology, detailed analysis of hack techniques, and countermeasures. This book discusses new case studies and eye-opening attack scenarios, along with advanced Web hacking concepts, methodologies, and tools. The section on How Do They Do It? shows how and why different attacks succeed, including: e-shoplifting, impersonation and session hijacking, buffer overflows and automated attack tools and worms. Appendices include a listing of Web and database ports, cheat sheets for remote command execution,
© Ken Fogalin 37
Hacking Techniques: An Introduction for Business Owners and Decision Makers
and source code disclosure techniques. Web Hacking experts show you how to connect the dots - how to put the stages of a Web hack together so you can best defend against them.
Pipkin, D. L. (2003). Halting the Hacker: A Practical Guide to Computer Security (2nd ed.). Upper Saddle River, NJ: Prentice Hall PTR.
Donald Pipkin, CISSP, works for the Internet Security Division of Hewlett-Packard as an information security architect. His best selling book has been updated to cover current critical threats, tools, and countermeasures. This book is organized around the processes that hackers use to gain access, privileges, and control and shows exactly how they work, how they compromise information, and what can be done to stop them. Through discussion of many examples of true hacker exploits, the author shows not only how a problem can turn into a security breach, but also why. This book will help you understand hackers – who they are, their motives, what they do, how they do it, and how they avoid detection. It presents both reactive and proactive security measures as well as legal recourse against hackers.
Schneier, B. (2004). Secrets & Lies: Digital Security in a Networked World. Indianapolis, Indiana: Wiley Publishing, Inc. (Original work published 2000)
The author of this book is well known for his previous title Applied Cryptography and his monthly newsletter Crypto-Gram. In Secrets and Lies, the author describes real-world security issues that cryptography or technology alone will not solve. He presents strategies to solve security problems from a systems perspective, rather than a technology perspective. While technologies are discussed, his emphasis is on integrating technologies (hardware, software, and networks) and people into security processes. By presenting the limitations of the available technologies, he dispels any myths that technology alone can protect business from the ever-changing threats. He covers the threat landscape i.e. who the attackers are, what they want, and what businesses need to deal with the threats. Finally, his discussion of attack methodologies, threat modeling, and risk assessment is relevant to understanding hackers’ techniques and how business can implement appropriate countermeasures.
Shema, M. (2003). Hacknotes Web Security Portable Reference. Emeryville, California: McGraw-Hill/Osborne.
This book is part of McGraw-Hill/Osborne’s HACKNOTES series. It is intended to be a resource guide for web security by providing condensed security reference information that is easy to use and access. It also targets the new security professional looking to get up to speed quickly and provides a concise, single source of knowledge. In this book you will find a methodology to analyze, pick apart, and secure any web application, however, the focus is really on the tools and techniques. As a reference guide, you do not read this book cover to cover or in any sequential manner – you simply flip to whatever section you need at the moment.
© Ken Fogalin 38
Hacking Techniques: An Introduction for Business Owners and Decision Makers
Skoudis, E. (2002). Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses. Upper Saddle River, NJ: Prentice Hall PTR.
Ed Skoudis has been touted as one of the leading network security experts. In this step-by-step guide, he presents detailed explanations of the most destructive hacker tools and tactics along with proven countermeasures for both UNIX and Windows environments. His book differs from other books on hacking by approaching the issues in several different ways. First, rather than presenting a dictionary of thousands of hacking tools and techniques, this book focuses on understanding each category of tool in great depth so it is easier to understand the appropriate defenses. Second, this book covers the attack sequence end-to-end by presenting a phased approach to attacking and covering defenses at each stage of the attack. Finally, scenarios are used to demonstrate how hackers use multiple tools together to build complete and sophisticated attacks. This book delivers protection solutions that can be implemented right now as well as long-term strategies to improve security in the years to come.
© Ken Fogalin 39