[ISN] How Hackers Cover Their Tracks

From: mea culpa (jerichoat_private)
Date: Thu Jan 28 1999 - 12:38:25 PST

  • Next message: mea culpa: "[ISN] Norton Works in Your PC's Sewers"

    Forwarded From: "<Synthe Omicron" <syntheat_private>
    How hackers cover their tracks 
    January 25, 1999
    by Stuart McClure and Joel Scambray 
    (IDG) -- Ever wonder how hackers can spend so much time online and rarely
    get caught? After all, everything they do on the Internet should be
    logged, right? Web hits, FTP sessions, Telnet connections, newsgroup
    postings, burps, and coughs should all be traceable, right?  Then how do
    they pillage and plunder with such ease?
    In the good old days, compromising university or government accounts and
    using them to bounce around the Internet was widespread. Hackers still use
    these techniques, but they cover their tracks. Temporary guest accounts,
    unrestricted proxy servers, buggy Wingate servers, and anonymous accounts
    can keep hackers carefree.
    Hackers can become invisible on the Internet by obtaining a test account
    from an ISP. A hacker can call a small ISP, profess interest, and open a
    guest account for a couple of weeks by giving false information. Then,
    using Telnet, the unwanted guest can connect to any other compromised
    University computers are notorious for their easy accessibility to the
    public. Hackers can take advantage of the lack of monitoring to store the
    majority of their scripts and tools on the university system. And many
    universities give out free shell or Internet accounts to "students"
    supplying little more than a valid name and student registration number.
    - From there they can exploit old Wingate servers that allow Telnet
    redirection by default. Discovered in early 1998, this bug permits
    unfettered Telnet access to anyone on the Internet through a Wingate proxy
    server. The bug has been fixed, but many sites have not yet applied the
    fix. Scanning a list of Wingate servers discovered at a popular hacker Web
    site, we found at least five (out of 127) machines still vulnerable to
    this bug. If you use Wingate, be sure to download Version 3.0, which fixes
    this and other problems.
    Anonymous surfing
    Proxy servers let small organizations protect theirinternal systems.  But
    an improperly configured system can be vulnerable. Be sure to scan the
    external interface of your proxy servers. Check for open ports, especially
    ports 80 (unless you are Web publishing), 3128, 8080, and 10080. Out of
    282 systems we scanned, more than one half (151) provide proxy services to
    the world. All Internet users have to do is change proxy settings in their
    Web browsers to an available proxy server, and it's clear sailing.
    Some Web sites offer free anonymous Web surfing, which is a boon for all
    of us privacy paranoids out there, but a nightmare for law enforcement.
    Both CyberArmy and Anonymizer offer free, albeit slow, anonymous Web
    surfing. Connecting to a Web page through their free services will mask
    your identity. Connecting through Anonymizer's ISP you get the following
    Connect from sol.infonex.com [] (Mozilla /4.5 [en] (TuringOS;
    Turing Machine; 0.0))logged. 
    And from CyberArmy's redirector server you get this identity: 
    Connect from s214-50.9natmp [] (Mozilla/4.01 (compatible; 
    NORAD National Defence Network))logged.
    TuringOS and NORAD National Defence are spoofed origins that mask the
    originating system.
    Lucent also has a proxy server meant to protect your privacy. Like the
    others, the Lucent Personalized Web Assistant can make you anonymous by
    tunneling all of your Web traffic through its proxy server. The only
    difference with Lucent is you must provide your e-mail address to sign in.
    Anonymous service providers such as Anonymizer and Lucent have the right
    intentions -- protecting your privacy -- but like any umbrella they can be
    abused. Services such as these can be a hacker's dream. Anonymizer offers
    Internet security and privacy for corporate customers and individuals, and
    effectively makes them invisible. They don't store cookies, they block
    Java and JavaScript access, and they remove all identifier strings.
    To its credit, Anonymizer severely limits to whom they give shell
    accounts.  But at $7 a month, anyone with a good story should be able to
    obtain one. They keep logs for 48 hours but don't record the source IP
    address. To guard against abuse, Anonymizer will shut down service to a
    particular Web site if abuse is reported. But with no source IP logging,
    it must shut down service to that site for all customers.
    Privacy cheerleading
    Don't get us wrong, we are the first to jump on the privacy bandwagon
    whenever it rolls by, but at what cost? Even if all of the software bugs
    contributing to anonymous connections are fixed, more and more ISPs will
    inevitably offer anonymous connectivity. How will you efend your site
    against the possible onslaught of phantom hack attempts? Will logged IP
    ddresses quickly turn into ghosts offering little more than a place to
    begin? Let us know at ecurity_watchat_private
    Stuart McClure, a senior manager at Ernst & Young's Information Security
    Services, and InfoWorld Technology Analyst Joel Scambray have managed
    information security in academic, corporate, and government environments
    for the past nine years. 
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:17:33 PDT