[ISN] How Hackers Hack

From: InfoSec News (isnat_private)
Date: Wed Apr 18 2001 - 15:14:36 PDT

  • Next message: InfoSec News: "[ISN] Crackers Expand Private War"

    http://www.pcworld.com/hereshow/article/0,aid,45726,00.asp
    
    Kim Zetter and Andrew Brandt, PCWorld.com
    Monday, April 02, 2001
    
    With the click of a mouse on one computer, the screen of the laptop a
    few feet away flashes wildly as a flood of data flies silently across
    a private network cable connecting the two machines. Within a minute
    the laptop's file sharing password is compromised.
    
    "The computer is having a bad day," says a reporter as he watches the
    effect of the attack on his machine. "Packets are coming at it so
    fast, the firewall doesn't know what to do."
    
    Some hackers claim they can teach a monkey how to hack in a couple of
    hours. We asked two hackers, Syke and Optyx (at their request, we are
    using their hacking pseudonyms rather than their real names), to give
    us non-simian reporters a demonstration.
    
    What we got was a sometimes-frightening view of how easily nearly
    anyone's computer--at home or at work, protected or not--can be
    cracked by a determined hacker. But we also found out that computer
    users can make a hacker's job much harder by avoiding a few common
    mistakes.
    
    Syke, a 23-year-old white-hat hacker, and Optyx, a 19-year-old
    self-proclaimed black hat, both work in computer security (Syke, until
    recently, for a well-known security software vendor; Optyx for an
    application service provider).
    
    They launch their attack on our notebook from desktop computers
    located in the windowless basement that is New Hack City, a sort of
    hacker research-and-development lab (and part-time party lounge).
    
    The lab's rooms are filled with over a dozen Sun SPARC servers,
    assorted network hubs and mountains of ethernet cable, an arcade-size
    Ms. Pac Man game, and a DJ tower stocked with music-mixing equipment
    for all-night hacker jams.
    
    
    Hacking 101
    
    "You should understand," says Optyx, as he enters a few commands that
    bring our machine to its knees, "no matter what people do, hackers
    will always find a way to get into systems."
    
    Just as he says this, Optyx uses a program to get the laptop to spew
    out a bit of data identifying its operating system and version.
    
    He then runs the program that cracked the file sharing password in the
    blink of an eye. We watch as he uses another tool to root through
    files in the laptop's shared directory.
    
    As hacking goes, the methods our two instructors use on our laptop are
    not very elegant--the equivalent of using brute force to knock in a
    door--and through the machine's software firewall, we are immediately
    aware that the machine is being hacked. But, save from disconnecting
    our machine from the network cable, we're powerless to stop it.
    
    Most hacking attacks, however, are much more invisible.
    
    
    Open Sesame
    
    The methods hackers use to attack your machine or network are fairly
    simple. A hacker scans for vulnerable systems by using a demon dialer
    (which will redial a number repeatedly until a connection is made) or
    a wardialer (an application that uses a modem to dial thousands of
    random phone numbers to find another modem connected to a computer).
    
    Another approach used to target computers with persistent connections,
    such as DSL or cable connections, employs a scanner program that
    sequentially "pings" IP addresses of networked systems to see if the
    system is up and running.
    
    Where can a hacker find such tools? On the Internet, of course.
    
    Sites containing dozens of free, relatively easy-to-use hacking tools
    available for download are easy to find on the Net. While
    understanding how these tools work is not always easy, many files
    include homegrown documentation written in hacker shoptalk.
    
    Among the programs available are scanning utilities that reveal the
    vulnerabilities on a computer or network and sniffing programs that
    let hackers spy on data passing between machines.
    
    Hackers also use the Net to share lists of vulnerable IP
    addresses--the unique location of Internet-connected computers with
    unpatched security holes. Addresses of computers that have already
    been loaded with a Trojan horse are available for anyone to exploit
    (in many cases without the owner of the computer knowing).
    
    Once the hacker finds a machine, he uses a hacker tool such as
    Whistler to identify in less than a second what operating system the
    machine is using and whether any unpatched holes exist in it. Whistler
    also provides a list of exploits the hacker can use to take advantage
    of these holes.
    
    (Not to be confused with the code name for the next generation of
    Windows, this Whistler is one of a handful of legitimate tools used by
    system administrators to test the security of their systems.)
    
    
    Security Software Alone Can't Stop Them
    
    Syke and Optyx explain that several conditions make it easier for them
    to hack into a system. Lax security is one of them--such as when a
    company uses no passwords on its system or fails to change Windows'
    default passwords.
    
    In October 2000 hackers broke into Microsoft's system and viewed
    source code for the latest versions of Windows and Office after
    discovering a default password that an employee never bothered to
    change.
    
    Other common mistakes: When system administrators don't update
    software with security patches, they leave vulnerable ports open to
    attack. Or when they install expensive intrusion detection systems,
    some fail to monitor the alarms that warn them when an intruder is
    breaking in.
    
    Still another boon to hackers is a firewall or router that is
    misconfigured, allowing hackers to "sniff" pieces of data--passwords,
    e-mail, or files--that pass through the network.
    
    
    Got Root?
    
    Once a hacker cracks into a system, his next goal is to get root, or
    give himself the highest level of access on the machine. The hacker
    can use little-known commands to get root, or can search the documents
    in the system's hard drive for a file or e-mail message that contains
    the system administrator's password.
    
    Armed with root access, he can create legitimate-looking user accounts
    and log in whenever he wants without attracting attention. He can also
    alter or delete system logs to erase any evidence (such as command
    lines) that he gained access to the system.
    
    But a hacker doesn't need root access to affect a system. He can
    misroute traffic intended to go to one company's Web server to a
    different one. Or, exploiting a well-documented bug (for which there's
    a patch that many sites haven't applied), a hacker can replace any Web
    page with his own text using a simple set of UNIX commands typed into
    the browser's Address bar.
    
    
    Denying Service
    
    A more serious threat, however, comes from skilled hackers who launch
    a denial-of-service attack, in which a Web server is flooded with so
    many requests that it stops responding altogether.
    
    Previously one of the most common attacks, DoS attacks are now much
    harder to accomplish. Large Internet companies counter them by buying
    larger Internet pipes, which are harder to fill with the junk data
    hackers throw at them. The more bandwidth a company has, the more
    service the hacker needs to interrupt in order to produce a noticeable
    effect.
    
    Hackers quickly learned that a single computer couldn't send enough
    phony requests to deny service, so they came up with a clever approach
    that employs dozens of hacked computers, working in synch to execute a
    distributed denial-of-service attack.
    
    A DDoS attack uses as many computers as the hacker can control (called
    "zombies") to send bogus data requests to a targeted server. To
    unleash the attack, the hacker sends just one command, which
    propagates to all of the zombies and causes a near-instantaneous
    death-by-data on the Web server.
    
    A hacker can also use an army of compromised computers to steal
    data--such as credit card numbers and proprietary corporate
    files--without leaving a clear trail. The hacker hops from machine to
    machine and then launches an attack that passes through all of them,
    creating a maze of connections for authorities to sift through.
    
    University systems are prime targets for such activity, since
    administrators often leave student accounts active after students have
    graduated. A hacker can take over the account and use it as a base to
    attack another system.
    
    In December 2000 hackers broke into a U.S. Air Force system in
    Virginia and downloaded code for controlling communication and spy
    satellites to a computer in Sweden. The Swedish company that owned the
    system housing the data had no idea hackers were using its computer,
    and cooperated with authorities.
    
    From Sweden the activity was traced to a university machine in
    Germany, which authorities also believe was being used by a distant
    hacker.
    
    
    Online Espionage
    
    Hackers can silently collect information from a machine for months
    without being detected. Using a Trojan horse, a hacker can log
    keystrokes on a computer (to obtain a user's passwords) or use a
    "sniffing" program to collect sensitive data as it passes from one
    computer to another.
    
    Sniffer software is a bit like a radio in that it simply listens for
    traffic to pass by it on the network wire. Sniffers are undetectable
    by the user and (usually) by the system administrator.
    
    
    Nowhere to Hide
    
    It might seem that, with all the ways hackers can get into your
    system, there's no safe place for your data to hide. Optyx would
    agree--to a point.
    
    Casually typing commands on his keyboard that sends our laptop into
    further frenzy, Optyx says that simply running antivirus software
    alone, or having a firewall or intrusion detection system, won't
    prevent the theft of data or hacking of your computer.
    
    "If people hack your machine," continues Optyx, "they hack it through
    a vulnerability."
    
    He recommends that, in addition to using the above tools, every user
    install the latest security patches on their critical software,
    including the operating system and the applications they regularly
    use. "The only way to protect yourself is to patch up the holes," he
    says.
    
    ISN is hosted by SecurityFocus.com
    ---
    To unsubscribe email LISTSERVat_private with a message body of
    "SIGNOFF ISN".
    



    This archive was generated by hypermail 2b30 : Thu Apr 19 2001 - 01:40:05 PDT