http://www.pcworld.com/hereshow/article/0,aid,45726,00.asp
Kim Zetter and Andrew Brandt, PCWorld.com
Monday, April 02, 2001
With the click of a mouse on one computer, the screen of the laptop a
few feet away flashes wildly as a flood of data flies silently across
a private network cable connecting the two machines. Within a minute
the laptop's file sharing password is compromised.
"The computer is having a bad day," says a reporter as he watches the
effect of the attack on his machine. "Packets are coming at it so
fast, the firewall doesn't know what to do."
Some hackers claim they can teach a monkey how to hack in a couple of
hours. We asked two hackers, Syke and Optyx (at their request, we are
using their hacking pseudonyms rather than their real names), to give
us non-simian reporters a demonstration.
What we got was a sometimes-frightening view of how easily nearly
anyone's computer--at home or at work, protected or not--can be
cracked by a determined hacker. But we also found out that computer
users can make a hacker's job much harder by avoiding a few common
mistakes.
Syke, a 23-year-old white-hat hacker, and Optyx, a 19-year-old
self-proclaimed black hat, both work in computer security (Syke, until
recently, for a well-known security software vendor; Optyx for an
application service provider).
They launch their attack on our notebook from desktop computers
located in the windowless basement that is New Hack City, a sort of
hacker research-and-development lab (and part-time party lounge).
The lab's rooms are filled with over a dozen Sun SPARC servers,
assorted network hubs and mountains of ethernet cable, an arcade-size
Ms. Pac Man game, and a DJ tower stocked with music-mixing equipment
for all-night hacker jams.
Hacking 101
"You should understand," says Optyx, as he enters a few commands that
bring our machine to its knees, "no matter what people do, hackers
will always find a way to get into systems."
Just as he says this, Optyx uses a program to get the laptop to spew
out a bit of data identifying its operating system and version.
He then runs the program that cracked the file sharing password in the
blink of an eye. We watch as he uses another tool to root through
files in the laptop's shared directory.
As hacking goes, the methods our two instructors use on our laptop are
not very elegant--the equivalent of using brute force to knock in a
door--and through the machine's software firewall, we are immediately
aware that the machine is being hacked. But, save from disconnecting
our machine from the network cable, we're powerless to stop it.
Most hacking attacks, however, are much more invisible.
Open Sesame
The methods hackers use to attack your machine or network are fairly
simple. A hacker scans for vulnerable systems by using a demon dialer
(which will redial a number repeatedly until a connection is made) or
a wardialer (an application that uses a modem to dial thousands of
random phone numbers to find another modem connected to a computer).
Another approach used to target computers with persistent connections,
such as DSL or cable connections, employs a scanner program that
sequentially "pings" IP addresses of networked systems to see if the
system is up and running.
Where can a hacker find such tools? On the Internet, of course.
Sites containing dozens of free, relatively easy-to-use hacking tools
available for download are easy to find on the Net. While
understanding how these tools work is not always easy, many files
include homegrown documentation written in hacker shoptalk.
Among the programs available are scanning utilities that reveal the
vulnerabilities on a computer or network and sniffing programs that
let hackers spy on data passing between machines.
Hackers also use the Net to share lists of vulnerable IP
addresses--the unique location of Internet-connected computers with
unpatched security holes. Addresses of computers that have already
been loaded with a Trojan horse are available for anyone to exploit
(in many cases without the owner of the computer knowing).
Once the hacker finds a machine, he uses a hacker tool such as
Whistler to identify in less than a second what operating system the
machine is using and whether any unpatched holes exist in it. Whistler
also provides a list of exploits the hacker can use to take advantage
of these holes.
(Not to be confused with the code name for the next generation of
Windows, this Whistler is one of a handful of legitimate tools used by
system administrators to test the security of their systems.)
Security Software Alone Can't Stop Them
Syke and Optyx explain that several conditions make it easier for them
to hack into a system. Lax security is one of them--such as when a
company uses no passwords on its system or fails to change Windows'
default passwords.
In October 2000 hackers broke into Microsoft's system and viewed
source code for the latest versions of Windows and Office after
discovering a default password that an employee never bothered to
change.
Other common mistakes: When system administrators don't update
software with security patches, they leave vulnerable ports open to
attack. Or when they install expensive intrusion detection systems,
some fail to monitor the alarms that warn them when an intruder is
breaking in.
Still another boon to hackers is a firewall or router that is
misconfigured, allowing hackers to "sniff" pieces of data--passwords,
e-mail, or files--that pass through the network.
Got Root?
Once a hacker cracks into a system, his next goal is to get root, or
give himself the highest level of access on the machine. The hacker
can use little-known commands to get root, or can search the documents
in the system's hard drive for a file or e-mail message that contains
the system administrator's password.
Armed with root access, he can create legitimate-looking user accounts
and log in whenever he wants without attracting attention. He can also
alter or delete system logs to erase any evidence (such as command
lines) that he gained access to the system.
But a hacker doesn't need root access to affect a system. He can
misroute traffic intended to go to one company's Web server to a
different one. Or, exploiting a well-documented bug (for which there's
a patch that many sites haven't applied), a hacker can replace any Web
page with his own text using a simple set of UNIX commands typed into
the browser's Address bar.
Denying Service
A more serious threat, however, comes from skilled hackers who launch
a denial-of-service attack, in which a Web server is flooded with so
many requests that it stops responding altogether.
Previously one of the most common attacks, DoS attacks are now much
harder to accomplish. Large Internet companies counter them by buying
larger Internet pipes, which are harder to fill with the junk data
hackers throw at them. The more bandwidth a company has, the more
service the hacker needs to interrupt in order to produce a noticeable
effect.
Hackers quickly learned that a single computer couldn't send enough
phony requests to deny service, so they came up with a clever approach
that employs dozens of hacked computers, working in synch to execute a
distributed denial-of-service attack.
A DDoS attack uses as many computers as the hacker can control (called
"zombies") to send bogus data requests to a targeted server. To
unleash the attack, the hacker sends just one command, which
propagates to all of the zombies and causes a near-instantaneous
death-by-data on the Web server.
A hacker can also use an army of compromised computers to steal
data--such as credit card numbers and proprietary corporate
files--without leaving a clear trail. The hacker hops from machine to
machine and then launches an attack that passes through all of them,
creating a maze of connections for authorities to sift through.
University systems are prime targets for such activity, since
administrators often leave student accounts active after students have
graduated. A hacker can take over the account and use it as a base to
attack another system.
In December 2000 hackers broke into a U.S. Air Force system in
Virginia and downloaded code for controlling communication and spy
satellites to a computer in Sweden. The Swedish company that owned the
system housing the data had no idea hackers were using its computer,
and cooperated with authorities.
>From Sweden the activity was traced to a university machine in
Germany, which authorities also believe was being used by a distant
hacker.
Online Espionage
Hackers can silently collect information from a machine for months
without being detected. Using a Trojan horse, a hacker can log
keystrokes on a computer (to obtain a user's passwords) or use a
"sniffing" program to collect sensitive data as it passes from one
computer to another.
Sniffer software is a bit like a radio in that it simply listens for
traffic to pass by it on the network wire. Sniffers are undetectable
by the user and (usually) by the system administrator.
Nowhere to Hide
It might seem that, with all the ways hackers can get into your
system, there's no safe place for your data to hide. Optyx would
agree--to a point.
Casually typing commands on his keyboard that sends our laptop into
further frenzy, Optyx says that simply running antivirus software
alone, or having a firewall or intrusion detection system, won't
prevent the theft of data or hacking of your computer.
"If people hack your machine," continues Optyx, "they hack it through
a vulnerability."
He recommends that, in addition to using the above tools, every user
install the latest security patches on their critical software,
including the operating system and the applications they regularly
use. "The only way to protect yourself is to patch up the holes," he
says.
ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV@SecurityFocus.com with a message body of
"SIGNOFF ISN".
Received on Thu Apr 19 03:42 CDT 2001