[ISN] Tricks of the trade obscure hacker tracks

From: mea culpa (jerichoat_private)
Date: Fri Jan 22 1999 - 11:37:20 PST

  • Next message: mea culpa: "[ISN] Y2K may mask hacker attacks"

    Forwarded From: Simon Taplin <stickerat_private>
    
    Tricks of the trade obscure hacker tracks and make anonymity easily
    attainable
    
           Ever wonder how hackers can spend so much time online and rarely
    get caught? After all, everything they do on the Internet should be
    logged, right?  Web hits, FTP sessions, Telnet connections, newsgroup
    postings, burps, and coughs should all be traceable, right? Then how do
    they pillage and plunder with such ease? 
    
           In the good old days, compromising university or government
    accounts and using them to bounce around the Internet was widespread.
    Hackers still use these techniques, but they cover their tracks. Temporary
    guest accounts, unrestricted proxy servers, buggy Wingate servers, and
    anonymous accounts can keep hackers carefree. 
    
           Hackers can become invisible on the Internet by obtaining a test
    account from an ISP. A hacker can call a small ISP, profess interest, and
    open a guest account for a couple of weeks by giving false information.
    Then, using Telnet, the unwanted guest can connect to any other
    compromised account. 
    
           University computers are notorious for their easy accessibility to
    the public.  Hackers can take advantage of the lack of monitoring to store
    the majority of their scripts and tools on the university system. And many
    universities give out free shell or Internet accounts to "students"
    supplying little more than a valid name and student registration number. 
    
           From there they can exploit old Wingate servers (www.wingate.com)
    that allow Telnet redirection by default. Discovered in early 1998, this
    bug permits unfettered Telnet access to anyone on the Internet through a
    Wingate proxy server. The bug has been fixed, but many sites have not yet
    applied the fix. Scanning a list of Wingate servers discovered at a
    popular hacker Web site, we found at least five (out of 127) machines
    still vulnerable to this bug. If you use Wingate, be sure to download
    Version 3.0, which fixes this and other problems. 
    
    
           Anonymous surfing
    
           Proxy servers let small organizations protect their internal
    systems. But an improperly configured system can be vulnerable. Be sure to
    scan the external interface of your proxy servers. Check for open ports,
    especially ports 80 (unless you are Web publishing), 3128, 8080, and
    10080. Out of 282 systems we scanned, more than one half (151) provide
    proxy services to the world. All Internet users have to do is change proxy
    settings in their Web browsers to an available proxy server, and it's
    clear sailing. 
    
           Some Web sites offer free anonymous Web surfing, which is a boon
    for all of us privacy paranoids out there, but a nightmare for law
    enforcement. Both CyberArmy (www.cyberarmy.com) and Anonymizer
    (www.anonymizer.com) offer free, albeit slow, anonymous Web surfing. 
    Connecting to a Web page through their free services will mask your
    identity.  Connecting through Anonymizer's ISP you get the following
    identity: 
    
           Connect from sol.infonex.com [209.75.196.2] (Mozilla /4.5 [en]
    (TuringOS; Turing Machine; 0.0))logged.
    
           And from CyberArmy's redirector server you get this identity:
    
           Connect from s214-50.9natmp [216.22.214.50] (Mozilla/4.01 (compatible;
    NORAD National Defence Network))logged.
    
           TuringOS and NORAD National Defence are spoofed origins that mask
    the originating system. 
    
           Lucent also has a proxy server meant to protect your privacy
    (www.lpwa.com). Like the others, the Lucent Personalized Web Assistant can
    make you anonymous by tunneling all of your Web traffic through its proxy
    server. The only difference with Lucent is you must provide your e-mail
    address to sign in. 
    
           Anonymous service providers such as Anonymizer and Lucent have the
    right intentions -- protecting your privacy -- but like any umbrella they
    can be abused. Services such as these can be a hacker's dream. Anonymizer
    offers Internet security and privacy for corporate customers and
    individuals, and effectively makes them invisible. They don't store
    cookies, they block Java and JavaScript access, and they remove all
    identifier strings. 
    
           To its credit, Anonymizer severely limits to whom they give shell
    accounts.  But at $7 a month, anyone with a good story should be able to
    obtain one. They keep logs for 48 hours but don't record the source IP
    address. To guard against abuse, Anonymizer will shut down service to a
    particular Web site if abuse is reported. But with no source IP logging,
    it must shut down service to that site for all customers.
    
           Privacy cheerleading
    
           Don't get us wrong, we are the first to jump on the privacy
    bandwagon whenever it rolls by, but at what cost? Even if all of the
    software bugs contributing to anonymous connections are fixed, more and
    more ISPs will inevitably offer anonymous connectivity. How will you
    defend your site against the possible onslaught of phantom hack attempts?
    Will logged IP addresses quickly turn into ghosts offering little more
    than a place to begin? 
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:16:54 PDT