http://www.itp.net/news/516118-i By Imthishan Giado Arabian Computer News April 13, 2008 When asked to describe what a typical ‘hacker' looks like, most people will resort to film clichés such as Keanu Reeves from the Matrix. The typical hacker profile is that of a dank unkempt loner who lives in a basement lit by the harsh glow of an LCD and gleefully punches away at a keyboard, defacing websites and leaving rude messages on desktops. That's the old reality, says Jeremiah Grossman, CTO and founder of web security specialists WhiteHat Security, former information security officer for Yahoo! and the keynote speaker at this month's HackInTheBox security conference in Dubai. "It used to be about ideology, the art of the hack and getting a reputation. We're now seeing a trend towards financially motivated hacks, where a lot of smart people all over the world make their living out of doing illicit hacks online. You have rogue marketing types that hack websites to improve their global ranking. State sponsored hacking happens all the time. You also have things like the Russian Business Network hiring hackers to carrying out e-commerce type fraud and identity theft. So you'll see a wide spectrum of bad guys monetising in different types of ways," he explains. While these attacks are a daily reality for most net citizens and corporations, Petko Petkov, founder of ethical hacker think tank GNUCitizen says that the trend has not yet reached its peak, and suggests which organisations make the most vulnerable targets. "Banks and corporations that hold personal details will probably be the first types of targets. A lot of these new-age Web 2.0 companies and websites are also at risk. There is not one specific target - whatever is easy to compromise is a good enough target for attackers. "The hacking business is not as mature as it will get in the future. Right now it mostly involves compromising PCs and hooking them to botnets and such, but in the future - I'm not talking about the distant future but probably a year or two ahead - organised crime will start using hacker tricks for all sort of things - modifying public records or black public relations, which is where companies hire a group of hackers to break into their competition and steal data, make it public through some channel and as such defame the company. This stuff is not uncommon - we've seen it happen and it's already been on the news," he warns. WhiteHat's Grossman says that even though application developers are responsible for the vulnerabilities which allows hackers easy access to corporate systems, don't expect them to resolve the problem quickly. "It's way outpacing quality assurance personnel's ability to effectively pentest [penetration test] all these vulnerabilities. Beyond that, even if we're able to know their exact location, remediation is almost impossible at this point due to the volume of work being generated," he claims. The problem, suggests Petkov, is that enterprises have expanded too quickly, with infrastructure growth outpacing the ability of IT teams to secure it. "I've tested numerous corporate networks where inside it's fairly relaxed because the user is trusted. With no proper segmentation between different networks and no security restrictions, it's complete chaos. Once an attacker gets into the corporate network it's a matter of time to get to the real interesting data. Many corporations try to resolve the problem on the upper level by installing firewalls, intrusion detection and sometimes prevention systems," he says. He lists a number of possible means by which attackers can gain access to a network - and surprisingly few require sophisticated IT knowledge. One of the key problems is, as he mentioned earlier, the low levels of security within corporate networks. While most corporations erect expensive firewalls to prevent hackers breaking in, a far easier strategy is to target senior users who travel with laptops and have corporate VPN access. Once these users connect to their home networks or public Wi-Fi hotspots, they are easy for prey for hackers who can inject their machines with malicious code and then later, steal their credentials when they reconnect to the corporate VPN. Another method which is only slightly more involved is to erect a complete fake network. This fools laptops - which often have a preferred wireless connection list - into thinking that it is in its regular office environment. If the attacker controls the network, says Petkov, anything is possible. "If that user starts using their e-mail client which probably runs in the background and starts performing checks, the credentials sometimes travel in the clear. When the attacker controls the network silently, they will be able to steal this information. This hack can be performed in about five minutes," he states. Some entry methods are shockingly basic and reflect the scant attention which enterprises pay to fundamental physical security. "One of the most basic ways of compromising a corporate network is to walk into one of the offices. The entrances sometimes have access to Ethernet sockets so the attackers install a small device and hide it away from casual observation and use it to access the corporate network. This is very basic stuff," reveals Petkov. The tools used for these attacks are often not what one expects, says MST team chief and senior technical threat analyst MST II for the US Army, Thomas Blackard. "I've seen people do strange things with Asus Eee PCs and a modified Sega Dreamcast with a network adapter and a modem setup in a wiring closet with access. If you have quantifiably important equipment then you need to take equitable measures to secure that from the outside world; don't use a glass door, use a metal door. You don't want to impede the users but you want to impede processes into areas where humans don't necessarily need to be," he says. Even the VOIP telephones widely used in the Middle East represent a threat, says the founder of Italy-based security firm Alba ST, Alessio Pennasilico. "The danger is confidentiality. Often by phone, we talk about important things, especially managers, but if you don't implement any encryption, phone calls can be eavesdropped. This is obviously also a problem of traditional telephony but in VOIP, you don't need to be physically near the device to eavesdrop - you can do it from a remote location with a free internet connection. The problem is that encrypting communications needs money and competence and there are very few companies that implement encryption," he says. Pennasilico outlines a common VOIP exploit known as ‘vishing.' It works in a similar way to its web equivalent and namesake, phishing. "It's the same as phishing except that you don't receive an e-mail, you receive a phone call with a changed number or spoofed caller ID. On the display of your phone appears perhaps the number of your bank. You pick up the phone and listen to a recorded message saying that you have some problem with your account and asking you to enter your credit card number or account number on the keypad. This fraud started in the US and will be soon known all over the world because it's really cheap and technically simple," he warns. Of course, one of the key factors in dealing with a potential attack is detecting it as soon as possible. But this is often hampered by the number of false positives, says the US Army's Blackard. "You really don't know an attack's an attack until after you've gone and looked at it again. It may be a junior technician installing a new laptop someplace which has a bad network card going up and down flapping, generating a lot of noise traffic. Probably eight out of ten incidents are an actual failure of the device more than an actual attack," he explains. Most security experts concur that it's better to have an in-house security team to deal with threats and update the security measures of the organisation, rather than outsourcing security to a third party. "Short term, outsourcing is better. Here's the downside to a contract firm - they have no real vested interest in a company beyond billable hours. Long term, what you want is a cadre of your own personnel because they will be able to take ownership of the equipment that's there. "What you need is a guy that's really good at firewalls, a guy that's good at databases, a guy that's good at clients and so on. You'll want to have one or two generalist guys that are good at just about everything so that you have coverage all day along and then you want to have a couple of specialists as your heavy hitters," recommends Blackard. Petkov, however, says that enterprises should be mindful of the cost factor: "If you have your own in-house security team likes a tiger team to test your networks on a constant basis, this is a huge plus but it may become quite expensive for companies. They then have to outsource that service which is a more convenient solution and is also very flexible." Blackard suggests that enterprises can take one of two approaches to security: "You can do a defence in depth approach - which is what I prefer - where your outer perimeter is just as strong as your inner perimeter and you have a whole series of air gaps and breaks in networks, you have dissimilar segments, you do a lot of things that makes it very difficult for the individual to apply any one exploit to get all the way into your network." "The other school of thought is a company having very soft non- protected insides and then these huge, monstrous enormously expensive firewalls they hide behind. The question is, how much is your data worth to you?" asks Blackard. In closing, WhiteHat's Grossman has some advice for CIOs for securing their online property: "Know what websites you have and rank their importance because you can't secure what you don't know you own." "Secondly, you have to measure your security, good bad or otherwise. You have to constantly assess the security of your web based property - if you don't the bad guys will. Lastly, for defence in-depth, throw up as many roadblocks as possible to prevent a compromise. You don't have to achieve 100% security but you should at least be more secure than your peers," he concludes. -=- The IT blacklight If a company suffers a serious intrusion and experiences a significant financial or data loss, it may be time to call in the CSI of the IT world - forensics investigators like Mandiant's Jamie Butler. His job is to treat enterprise IT systems like a virtual crime scene and sift through it for evidence of how the attacker gained access and most importantly, if they're still there. "Often the attacker wants to maintain a presence on the systems that they've broken into so that whatever value they're taking, they can continue to do so in the future. What they leave behind is generally classified as malware and we look for those types of indicators," says Butler. Butler notes that attackers usually don't compromise more systems than they have to: "They don't want to compromise a lot of boxes because then their footprint gets much bigger. If you have a client with 2000 hosts on a network, you won't see that 50% of those are compromised, it'll be less than 10% or 5%." And just like CSI, contamination of the crime scene causes problems for Butler: "If at the onset they don't realise there's an attack, enterprises might run a set of diagnostic tools to give them more information. That process makes the hosts dirtier - and what I mean by that is that they destroy some of the physical evidence, by erasing the memory or running tools that write to the disk. Once you write to the disk, recovery becomes impossible for the files that have been deleted and you might only get a portion of it back with forensic tools." ___________________________________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Mon Apr 14 2008 - 00:55:43 PDT