ISSC362.pdf - PA R T O N E Hacker Techniques and Tools Hacking The Next Generation TCP\/IP Review 23 Cryptographic Concepts Physical Security 81 50 2

ISSC362.pdf - PA R T O N E Hacker Techniques and Tools...

This preview shows page 1 out of 397 pages.

Unformatted text preview: PA R T O N E Hacker Techniques and Tools Hacking: The Next Generation TCP/IP Review 23 Cryptographic Concepts Physical Security 81 50 2 CHAPTER 1 Hacking: The Next Generation T HIS BOOK WILL COVER A WIDE RANGE of techniques and technologies that hackers can use to compromise a system in one way or another. Before you go further, it is important to fi rst understand what hackers are and where they come from. The fi rst generation of hackers who emerged in the 1960s were individuals who would be called “geeks” or technology enthusiasts today. These early hackers would go on to create the foundation for technologies such as the ARPANET, which paved the way for the Internet. They also initiated many early software-development movements that led to what is known today as open source. Hacking was motivated by intellectual curiosity; causing damage or stealing information was “against the rules” for this small number of people. In the 1980s, hackers started gaining more of the negative connotations by which the public now identifi es them. Movies such as War Games and media attention started altering the image of a hacker from a technology enthusiast to a computer criminal. During this time period, hackers engaged in activities such as theft of service by breaking into phone systems to make free phone calls. The publishing of books such as The Cuckoo’s Egg and the emergence of magazines such as Phrack cast even more negative light on hackers. In many respects, the 1980s formed the basis for what a hacker is today. Over the past two decades, the defi nition of what a hacker is has evolved dramatically from what was accepted in the 1980s and even the 1990s. Current hackers defy easy classifi cation and require categorization into several groups to better match their respective goals. Here is a brief look at each of the groups to better understand what the information technology industry is dealing with: 2 1 Hacking: The Next Generation • Script kiddies—These hackers occupy the lowest level of the hacker hierarchy. They typically possess very basic skills and rely upon existing tools that they can locate on the Internet. These hackers are the beginners and may or may not understand the impact of their actions in the larger scheme of things. It is important, however, not to underestimate the damage these individuals can cause; they can still do a great deal of harm. • White-hat hackers—These individuals know how hacking works and the danger it poses, but use their skills for good. They adhere to an ethic of “do no harm.” White-hat hackers are sometimes also referred to as ethical hackers, which is the name most widely known by the general public. • gray-hat hackers—Hackers in this class are “rehabilitated” hackers or those who once were on “the dark side,” but are now reformed. For obvious reasons, not all people will trust a gray-hat hacker. • Black-hat hackers—A black-hat hacker has, through actions or stated intent, indicated that his or her hacking is designed to break the law, disrupt systems or businesses, or generate an illegal fi nancial return. Hackers in this class should be considered to be “up to no good,” as the saying goes. They may have an agenda or no agenda at all. In most cases, black-hat hackers and outright criminal activity are not too far removed from one another. The purpose of this book is to teach you how to ensure the security of computers and networks by learning and understanding the mindset of individuals out to compromise those systems. To defend information technology assets, you need to understand the motivations, tools, and techniques that attackers commonly use. Chapter 1 Topics This chapter covers the following topics and concepts: • What the profi les of hackers, crackers, and cybercriminals are • What a look back at the history of computer hacking shows • What ethical hacking and penetration testing are • What common hacking methodologies are • How to perform a penetration test • What the roles of ethical standards and the law are 3 Chapter 1 Goals When you complete this chapter, you will be able to: • Describe the history of hacking • Explain the evolution of hacking • Explain why information systems and people are vulnerable to manipulation • Differentiate between hacking, ethical hacking, penetration testing, and auditing • Relate the motivations, skill sets, and primary attack tools used by hackers • Compare the steps and phases of a hacking attack to those of a penetration test • Explain the difference in risk between inside and outside threats and attacks • Review the need for ethical hackers • State the most important step in ethical hacking • Identify important laws that relate to hacking Profiles of Hackers, Crackers, and Cybercriminals In today’s world, organizations have quickly learned that they can no longer afford to underestimate or ignore the threat attackers pose. Organizations of all sizes have learned to reduce threats through a combination of technological, administrative, and physical measures designed to address a specific range of problems. Technological measures include devices and techniques such as virtual private networks (VPNs), cryptographic protocols, intrusion detection systems (IDS), intrusion prevention systems (IPS), access control lists (ACLs), biometrics, smart cards, and other devices. Administrative controls include People who break the law or break into systems without authorization are more correctly known as “crackers.” The press does not usually make this distinction, because “hacker” has become such a universal term. However, there are many experienced hackers who never break the law, and who defi ne hacking as producing an outcome the system designer never anticipated. In that respect, Albert Einstein can be considered to have “hacked” Newtonian physics. In the interest of simplicity, this book will use the term “hacker” to describe those who are either good or evil. No offense is intended to either group. 4 1 policies, procedures, and other rules. Physical measures include devices such as cable locks, device locks, alarm systems, and other similar devices. Keep in mind that each of these devices, even if expensive, can be cheaper and more effective than cleaning up the aftermath of an intrusion. While discussing attacks and attackers, security professionals must be thorough in assessment and evaluation of the threat by also considering where it comes from. When evaluating the threats against an organization and possible sources of attack, always consider the fact that attackers can come from both outside and inside the organization. A single disgruntled employee can cause tremendous amounts of damage because he or she is an approved user of the system. In just about any given situation, the attacks originating from outside the firewall will greatly outnumber the attacks that originate from the inside. However, an insider may go unnoticed longer and also have some level of knowledge of how things work ahead of time, which can result in a more effective attack. Because the risk to any organization is very real, it is up to each organization to determine the controls that will be most effective in reducing or mitigating the threats it faces. When considering controls, you can examine something called the TAP principle of controls. TAP is an acronym for technical, administrative, and physical, the three types of controls you can use in risk mitigation. Here’s a look at each type with a few examples: 5 NOTE Never underestimate the damage a determined individual can do to computer systems. For example, Michael Calce, commonly known as MafiaBoy, was an individual who in February 2000 launched a series of denial of service (DoS) attacks that were responsible for causing damages estimated upwards of $1.2 billion. NOTE Both insiders and outsiders rely on exploits of some type. Remember that an exploit refers to a piece of software, a tool, or a technique that targets or takes advantage of a vulnerability— leading to privilege escalation, loss of integrity, or denial of service on a computer system. • Technical—Technical controls take the form of software or hardware such as firewalls, proxies, intrusion detection systems (IDS), intrusion prevention systems (IPS), biometric authentication, permissions, auditing, and similar technologies. • Administrative—Administrative controls take the form of policies and procedures. An example is a password policy that defines what makes a good password. In numerous cases, administrative controls may also fulfill legal requirements, such as policies that dictate privacy of customer information. Other examples of administrative policy include the rules governing the hiring and firing of employees. • Physical—Physical controls are those that protect assets from traditional threats such as theft or vandalism. Mechanisms in this category include locks, cameras, guards, lighting, fences, gates, and other similar devices. Hacking: The Next Generation CHAPTER 1 | Hacking: The Next Generation PART 1 | Hacker Techniques and Tools 6 The Hacker Mindset NOTE Like many criminals, black-hat hackers do not consider their activities to be illegal or even morally wrong. Depending on whom you ask, you can get a wide range of responses from hackers on how they view their actions. It is also not unheard of for hackers or criminals to have a code of ethics that they hold sacred, but seem more than a little skewed to others. In defense of their actions, hackers have been known to cite all sorts of reasons, including the following: Although it is true that the mere act of writing a computer virus is not illegal, releasing it into the “wild” is illegal. NOTE Although it is true that applications or data can be erased or modified, worse scenarios can happen under the right circumstances. For example, consider what could happen if someone broke into a system such as a 911 emergency service and then maliciously or accidentally took it down. • The no-harm-was-done fallacy—If one enters a system, even in an unauthorized manner, it is OK as long as nothing is stolen or damaged in the process. • The computer game fallacy—If the computer or system did not take any action or have any mechanism to stop the attack, it must be OK. • The law-abiding citizen fallacy—Writing a virus is not illegal, so it must be OK. • The shatterproof fallacy—Computers cannot do any real harm. The worst that can happen is a deleted file or erased program. • The candy-from-a-baby fallacy—If it is so easy to copy a program or download a song, how can it be illegal? • The hacker fallacy—Information should be free. No one should have to pay for books or media. Everyone should have free access. Another example of attempting to explain the ethics applied to hackers is known as the hacker ethic. This set of standards dates to Steven Levy in the 1960s. In the preface of his book, Hackers: Heroes of the Computer Revolution, Levy stated the following: • Access to computers and anything that might teach you something about the way the world works should be unlimited and total. • All information should be free. • Authority should be mistrusted, and decentralization should be promoted. • Hackers should be judged by their hacking, not criteria such as degrees, age, race, gender, or position. • You can create art and beauty on a computer. • Computers can change your life for the better. 1 Ethics are an important component in understanding what makes a hacker, but far from the only component. One must also consider motivation. Anyone who has watched a police drama or is a fan of detective stories knows that there are three things needed to commit a crime: • Means—Does the attacker possess the ability to commit the crime in question? • Motive—Does the attacker have a reason to engage in the commission of the crime? • Opportunity—Does the attacker have the necessary access and time to commit the crime? Focusing on the second point—motive—helps better understand why an attacker might engage in hacking activities. The early “pioneers” of hacking engaged in those activities out of curiosity. Today’s hackers can have any number of motives, many of which are similar to those for traditional crimes: • Monetary—Attacks committed with the intention of reaping financial gains. • Status—Attacks committed with the intention of gaining recognition and, by extension, increased credibility within a given group (for example, a hacking group). • Terrorism—Attacks designed to scare, intimidate, or otherwise cause panic in the victim or target group. • Revenge or grudge—Attacks conceived and carried out by individuals who are angry at an organization. Attacks of this nature are often launched by disgruntled employees or customers. • Hacktivism—Attacks that are carried out to bring attention to a cause, group, or political ideology. • Fun—Attacks that are launched with no specific goal in mind other than to just carry out an attack. These attacks can be indiscriminate in their execution. No matter what the hackers’ motivations are, any of them might result in the commission of a computer-based crime. For example, attackers may hack a game server to boost their stats in an online game against their friends, but they still have entered a server without authorization. Hacktivism A relatively new form of hacking is the idea of hacking in behalf of a cause. In the past, hacking was done for a range of different reasons that rarely included social expression. Over the past decade, however, there have been an increasing number of security incidents with roots in social or political activism. Examples include defacing Web sites of public officials, candidates, or agencies that an individual or group disagrees with, or performing DoS attacks against corporate Web sites. 7 Hacking: The Next Generation CHAPTER 1   |  Hacking: The Next Generation 8    PART 1   |  Hacker Techniques and Tools A sampling of common attacks that fit the definition of computer crime include the following: • Theft of access—Stealing passwords, stealing usernames, and subverting access mechanisms to bypass normal authentication. In a number of situations, the very act of possessing stolen credentials such as passwords may be enough to bring formal charges. • Network intrusions—Accessing a system of computers without authorization. Intrusions may not even involve hacking tools; the very act of logging into a guest account may be sufficient to be considered an intrusion. • Emanation eavesdropping—Sniffing devices for intercepting radio frequency (RF) signals generated by computers or terminals. Years ago, the U.S. Department of Defense established a classified program codenamed TEMPEST that was designed to shield or suppress electronic emanations to protect sensitive and classified government information. • Social engineering—Basically, telling lies to manipulate people into divulging information they otherwise would not provide. Information such as passwords, PINs (personal identification numbers), or other details can be used to attack computer-based systems. Although not necessarily a crime in every specific situation, social engineering methods such as pretexting (tricking an individual to reveal information under false pretenses) are often illegal. • Posting and/or transmitting illegal material—Distributing pornography to minors is illegal in numerous jurisdictions, as is possessing or distributing child pornography. • Fraud—Intentional deception designed to produce illegal financial gain or to damage another party. • Software piracy—The possession, duplication, or distribution of software in violation of a license agreement, or the act of removing copy protection or other license-enforcing mechanisms. • Dumpster diving—Gathering material that has been discarded or left in unsecured or unguarded receptacles. Dumpster diving often enables discarded data to be pieced together to reconstruct sensitive information. • Malicious code—Software written with a deliberate purpose to cause damage, destruction, or disruption. Examples include viruses, worms, spyware, and Trojan horses. • Denial of service (DoS) and distributed denial of service (DDoS) attacks— Overloading a system’s resources so it cannot provide the required services. Both DoS and DDoS have the same effect, except that distributed denial of service (DDoS) is launched from large numbers of hosts that have been compromised and act after receiving a particular command. • IP address spoofing—Substituting a forged IP address for a valid address in network traffic or a message to disguise the true location of the message or person. This attack method may also be used as a component of other larger attacks such as DoS or DDoS attacks. 1 • Unauthorized destruction or alteration of information—Modifying, destroying, or tampering with information without appropriate permission. This can involve manual or automated tools that have been developed for this purpose to change information at rest or in motion. • Embezzlement—A form of financial fraud that involves theft or redirection of funds as a result of violating a position of trust. • Data-diddling—The unauthorized modification of data used to forge or counterfeit information. Examples include changing performance review marks, adjusting expense account limits, or “tweaking” reports after the fact. • Logic bomb—A piece of code designed to cause harm, a logic bomb is intentionally inserted into a software system and will activate upon the occurrence of some predetermined data, time, or event. A Look Back at the History of Computer Hacking Typical early hackers were technology enthusiasts who were curious about the new technology of networks and computers and wanted to see just how far they could push its capabilities. In the decades since, hacking has changed quite a bit—getting more advanced and cleverer as the technology advanced. For example, in the 1970s, when mainframes were more common in corporate and university environments, hacking was mostly confined to those systems. The 1980s saw the emergence of personal computers (PCs), which meant every user had a copy of an operating system. As these systems were very similar, a hack that worked on one machine would work on nearly every other PC as well. Although the first Internet worm in November 1988 exploited a weakness in the UNIX sendmail command, worm and virus writers moved their attention to the world of PCs, where most infections occur today. As hackers evolved so did their attacks as their skills and creativity increased. The first World Wide Web browser, Mosaic, was introduced in 1993. By 1995, hackers began defacing Web sites. Some of the earliest hacks were quite funny, if not somewhat offensive or vulgar. In August 1995, hackers hacked The MGM Web site for the movie “Hackers” suggesting readers attend the DEFCON hacker conference instead. A 1996 hack of the Department of Justice Web site replaced Attorney General Janet Reno’s picture with that of Adolf Hitler. The next month, hackers defaced the CIA Web site, and later that year the Air Force Web site featured a link to Area 51, a secret government site in Nevada, long linked in the popular mind to UFOs. By May 2001, Web sites were being hacked at such a rate that the group that documented them gave up trying to keep track (see http:// attrition.org/mirror/attrition/). By the turn of the century, hacks started to progress from pranks to maliciousness. DoS attacks took out companies’ Internet access, affecting stock prices and causing financial damage. As Web sites began to process more credit card transactions, their back-end databases became prime targets for attacks. As computer-crime laws came into being, the bragging rights for hacking a Web site became less attractive— sure, a hacker could show off to friends, but that didn’t produce a financial return. 9 Hacking: The Next Generation CHAPTER 1   |  Hacking: The Next Generation 10...
View Full Document

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture